[
https://issues.apache.org/jira/browse/HDFS-14434?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16822977#comment-16822977
]
KWON BYUNGCHANG commented on HDFS-14434:
----------------------------------------
[~kihwal] HttpFS does not support GETDELEGATIONTOKEN op. In insecure mode,
WebHdfsFileSystem does not call GETDELEGATIONTOKEN op against HttpFS.
however In secure mode, first WebHdfsFileSystem call GETDELEGATIONTOKEN op,
HttpFS raise exception because HttpFS does not support that op. and finally
fail.
this patch does not affect insecure mode. so in insecure mode, there is no
compatible problems.
and I agree with Eric Yang.
> webhdfs that connect secure hdfs should not use user.name parameter
> -------------------------------------------------------------------
>
> Key: HDFS-14434
> URL: https://issues.apache.org/jira/browse/HDFS-14434
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: webhdfs
> Affects Versions: 3.1.2
> Reporter: KWON BYUNGCHANG
> Assignee: KWON BYUNGCHANG
> Priority: Minor
> Attachments: HDFS-14434.001.patch, HDFS-14434.002.patch
>
>
> I have two secure hadoop cluster. Both cluster use cross-realm
> authentication.
> [[email protected]|mailto:[email protected]] can access to HDFS of B.COM realm
> by the way, hadoop username of [email protected] in B.COM realm is
> cross_realm_a_com_user_a.
> hdfs dfs command of [email protected] using B.COM webhdfs failed.
> root cause is webhdfs that connect secure hdfs use user.name parameter.
> according to webhdfs spec, insecure webhdfs use user.name, secure webhdfs
> use SPNEGO for authentication.
> I think webhdfs that connect secure hdfs should not use user.name parameter.
> I will attach patch.
> below is error log
>
> {noformat}
> $ hdfs dfs -ls webhdfs://b.com:50070/
> ls: Usernames not matched: name=user_a != expected=cross_realm_a_com_user_a
>
> # user.name in cross realm webhdfs
> $ curl -u : --negotiate
> 'http://b.com:50070/webhdfs/v1/?op=GETDELEGATIONTOKEN&user.name=user_a'
> {"RemoteException":{"exception":"SecurityException","javaClassName":"java.lang.SecurityException","message":"Failed
> to obtain user group information: java.io.IOException: Usernames not
> matched: name=user_a != expected=cross_realm_a_com_user_a"}}
> # USE SPNEGO
> $ curl -u : --negotiate 'http://b.com:50070/webhdfs/v1/?op=GETDELEGATIONTOKEN'
> {"Token"{"urlString":"XgA....."}}
>
> {noformat}
>
>
>
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
