[
https://issues.apache.org/jira/browse/HDFS-14375?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16907862#comment-16907862
]
Jihyun Cho commented on HDFS-14375:
-----------------------------------
I tested DataNode with the keytab included two different realms.
{noformat}
klist -kt dn.keytab
Keytab name: FILE:dn.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
3 08/14/19 18:33:57 dn/testhost1....@test1.com
3 08/14/19 18:33:57 dn/testhost1....@test1.com
3 08/14/19 18:33:57 dn/testhost1....@test1.com
3 08/14/19 18:33:57 dn/testhost1....@test1.com
3 08/14/19 18:33:57 dn/testhost1....@test1.com
1 08/15/19 15:09:50 dn/testhost1....@test2.com
1 08/15/19 15:09:50 dn/testhost1....@test2.com
1 08/15/19 15:09:50 dn/testhost1....@test2.com
1 08/15/19 15:09:50 dn/testhost1....@test2.com
1 08/15/19 15:09:50 dn/testhost1....@test2.com
{noformat}
And KDCs are setted cross-realm trust already.
{noformat:title=KDC in TEST1.COM}
kadmin.local listprincs | grep krbtgt
krbtgt/test1....@test1.com
krbtgt/test1....@test2.com
krbtgt/test2....@test1.com
{noformat}
{noformat:title=KDC in TEST2.COM}
kadmin.local listprincs | grep krbtgt
krbtgt/test1....@test2.com
krbtgt/test2....@test1.com
krbtgt/test2....@test2.com
{noformat}
As test result, it can connect NameNode in TEST1.COM. But it still cannot
connect NameNode in TEST2.COM with below error.
{noformat:title=NameNode in TEST2.COM}
INFO SecurityLogger.org.apache.hadoop.ipc.Server: Auth successful for
dn/testhost1....@test1.com (auth:KERBEROS)
WARN
SecurityLogger.org.apache.hadoop.security.authorize.ServiceAuthorizationManager:
Authorization failed for dn/testhost1....@test1.com (auth:KERBEROS) for
protocol=interface org.apache.hadoop.hdfs.server.protocol.DatanodeProtocol:
this service is only accessible by dn/testhost1....@test2.com
INFO org.apache.hadoop.ipc.Server: Connection from 10.231.225.12:34321 for
protocol org.apache.hadoop.hdfs.server.protocol.DatanodeProtocol is
unauthorized for user dn/testhost1....@test1.com (auth:KERBEROS)
{noformat}
Is there anything missing?
> DataNode cannot serve BlockPool to multiple NameNodes in the different realm
> ----------------------------------------------------------------------------
>
> Key: HDFS-14375
> URL: https://issues.apache.org/jira/browse/HDFS-14375
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: security
> Affects Versions: 3.1.1
> Reporter: Jihyun Cho
> Assignee: Jihyun Cho
> Priority: Major
> Attachments: authorize.patch
>
>
> Let me explain the environment for a description.
> {noformat}
> KDC(TEST1.COM) <-- Cross-realm trust --> KDC(TEST2.COM)
> | |
> NameNode1 NameNode2
> | |
> ---------- DataNodes (federated) ----------
> {noformat}
> We configured the secure clusters and federated them.
> * Principal
> ** NameNode1 : nn/_h...@test1.com
> ** NameNode2 : nn/_h...@test2.com
> ** DataNodes : dn/_h...@test2.com
> But DataNodes could not connect to NameNode1 with below error.
> {noformat}
> WARN
> SecurityLogger.org.apache.hadoop.security.authorize.ServiceAuthorizationManager:
> Authorization failed for dn/hadoop-datanode.test....@test2.com
> (auth:KERBEROS) for protocol=interface
> org.apache.hadoop.hdfs.server.protocol.DatanodeProtocol: this service is only
> accessible by dn/hadoop-datanode.test....@test1.com
> {noformat}
> We have avoided the error with attached patch.
> The patch checks only using {{username}} and {{hostname}} except {{realm}}.
> I think there is no problem. Because if realms are different and no
> cross-realm setting, they cannot communication each other. If you are worried
> about this, please let me know.
> In the long run, it would be better if I could set multiple realms for
> authorize. Like this;
> {noformat}
> <property>
> <name>dfs.namenode.kerberos.trust-realms</name>
> <value>TEST1.COM,TEST2.COM</value>
> </property>
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
