[jira] [Commented] (HDFS-16686) GetJournalEditServlet fails to authorize valid Kerberos request

Tue, 09 Aug 2022 07:39:17 -0700 


    [ 
https://issues.apache.org/jira/browse/HDFS-16686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17577460#comment-17577460
 ] 

ASF GitHub Bot commented on HDFS-16686:
---------------------------------------

snmvaughan opened a new pull request, #4724:
URL: https://github.com/apache/hadoop/pull/4724

   ### Description of PR
   
   GetJournalEditServlet uses request.getRemoteuser() to determine the 
remoteShortName for Kerberos authorization, which fails to match when the 
JournalNode uses its own Kerberos principal (e.g. jn/<hostname>@<realm>).
   
   This can be fixed by using the UserGroupInformation provided by the base 
DfsServlet class using the getUGI(request, conf) call.
   
   ### How was this patch tested?
   
   Integration tests were performed against an HA configuration running in 
Kubernetes, running Java 11.  With the patch, exceptions which had previously 
reported expected Kerberos principals which included an IP address string were 
eliminated.  
   
   ### For code changes:
   
   - [X] Does the title or this PR starts with the corresponding JIRA issue id 
(e.g. 'HADOOP-17799. Your PR title ...')?
   - [ ] Object storage: have the integration tests been executed and the 
endpoint declared according to the connector-specific documentation?
   - [ ] If adding new dependencies to the code, are these dependencies 
licensed in a way that is compatible for inclusion under [ASF 
2.0](http://www.apache.org/legal/resolved.html#category-a)?
   - [ ] If applicable, have you updated the `LICENSE`, `LICENSE-binary`, 
`NOTICE-binary` files?
   
   




> GetJournalEditServlet fails to authorize valid Kerberos request
> ---------------------------------------------------------------
>
>                 Key: HDFS-16686
>                 URL: https://issues.apache.org/jira/browse/HDFS-16686
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: journal-node
>         Environment: Running in Kubernetes using Java 11 in an HA 
> configuration.  JournalNodes run on separate pods and have their own Kerberos 
> principal "jn/<hostname>@<realm>".
>            Reporter: Steve Vaughan
>            Assignee: Steve Vaughan
>            Priority: Major
>
> GetJournalEditServlet uses request.getRemoteuser() to determine the 
> remoteShortName for Kerberos authorization, which fails to match when the 
> JournalNode uses its own Kerberos principal (e.g. jn/<hostname>@<realm>).
> This can be fixed by using the UserGroupInformation provided by the base 
> DfsServlet class using the getUGI(request, conf) call.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to