[
https://issues.apache.org/jira/browse/HDFS-14434?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
KWON BYUNGCHANG updated HDFS-14434:
-----------------------------------
Description:
I have two secure hadoop cluster. Both cluster use cross-realm authentication.
[[email protected]|mailto:[email protected]] can access to HDFS of B.COM realm
by the way, hadoop username of [email protected] in B.COM realm is
cross_realm_a_com_user_a.
hdfs dfs command of [email protected] using B.COM webhdfs failed.
root cause is webhdfs that connect secure hdfs use user.name parameter.
according to webhdfs spec, insecure webhdfs use user.name, secure webhdfs use
SPNEGO for authentication.
I think webhdfs that connect secure hdfs should not use user.name parameter.
I will attach patch.
below is error log
{noformat}
$ hdfs dfs -ls webhdfs://b.com:50070/
ls: Usernames not matched: name=user_a != expected=cross_realm_a_com_user_a
# user.name in cross realm webhdfs
$ curl -u : --negotiate
'http://b.com:50070/webhdfs/v1/?op=GETDELEGATIONTOKEN&user.name=user_a'
{"RemoteException":{"exception":"SecurityException","javaClassName":"java.lang.SecurityException","message":"Failed
to obtain user group information: java.io.IOException: Usernames not matched:
name=user_a != expected=cross_realm_a_com_user_a"}}
# USE SPNEGO
$ curl -u : --negotiate 'http://b.com:50070/webhdfs/v1/?op=GETDELEGATIONTOKEN'
{"Token"{"urlString":"XgA....."}}
{noformat}
was:
I have two secure hadoop cluster. Both cluster use cross-realm authentication.
[[email protected]|mailto:[email protected]] can access to HDFS of B.COM realm
by the way, hadoop username of [email protected] in B.COM realm is
cross_realm_a_com_user_a.
hdfs dfs command of [email protected] using B.COM webhdfs failed.
$ hdfs dfs -ls webhdfs://b.com:50070/
{{ls: Usernames not matched: name=user_a != expected=cross_realm_a_com_user_a}}
$ curl -u : --negotiate
'http://b.com:50070/webhdfs/v1/?op=GETDELEGATIONTOKEN&user.name=user_a'
{{{"RemoteException":{"exception":"SecurityException","javaClassName":"java.lang.SecurityException","message":"Failed
to obtain user group information: java.io.IOException: Usernames not matched:
name=user_a != expected=cross_realm_a_com_user_a"}}}}
{{$ curl -u : --negotiate
'http://b.com:50070/webhdfs/v1/?op=GETDELEGATIONTOKEN'}}
{{{"Token"{"urlString":"XgA....."}}}}
root cause is webhdfs that connect secure hdfs use user.name parameter.
according to webhdfs spec, insecure webhdfs use user.name, secure webhdfs use
SPNEGO for authentication.
I think webhdfs that connect secure hdfs should not use user.name parameter.
I will attach patch.
> webhdfs that connect secure hdfs should not use user.name parameter
> -------------------------------------------------------------------
>
> Key: HDFS-14434
> URL: https://issues.apache.org/jira/browse/HDFS-14434
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: webhdfs
> Affects Versions: 3.1.2
> Reporter: KWON BYUNGCHANG
> Priority: Minor
>
> I have two secure hadoop cluster. Both cluster use cross-realm
> authentication.
> [[email protected]|mailto:[email protected]] can access to HDFS of B.COM realm
> by the way, hadoop username of [email protected] in B.COM realm is
> cross_realm_a_com_user_a.
> hdfs dfs command of [email protected] using B.COM webhdfs failed.
> root cause is webhdfs that connect secure hdfs use user.name parameter.
> according to webhdfs spec, insecure webhdfs use user.name, secure webhdfs
> use SPNEGO for authentication.
> I think webhdfs that connect secure hdfs should not use user.name parameter.
> I will attach patch.
> below is error log
>
> {noformat}
> $ hdfs dfs -ls webhdfs://b.com:50070/
> ls: Usernames not matched: name=user_a != expected=cross_realm_a_com_user_a
>
> # user.name in cross realm webhdfs
> $ curl -u : --negotiate
> 'http://b.com:50070/webhdfs/v1/?op=GETDELEGATIONTOKEN&user.name=user_a'
> {"RemoteException":{"exception":"SecurityException","javaClassName":"java.lang.SecurityException","message":"Failed
> to obtain user group information: java.io.IOException: Usernames not
> matched: name=user_a != expected=cross_realm_a_com_user_a"}}
> # USE SPNEGO
> $ curl -u : --negotiate 'http://b.com:50070/webhdfs/v1/?op=GETDELEGATIONTOKEN'
> {"Token"{"urlString":"XgA....."}}
>
> {noformat}
>
>
>
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
