[jira] [Commented] (HDFS-17276) The nn fetch editlog forbidden in kerberos environment

[ASF GitHub Bot (Jira)]

    [ 
https://issues.apache.org/jira/browse/HDFS-17276?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17793698#comment-17793698
 ] 

ASF GitHub Bot commented on HDFS-17276:
---------------------------------------

gp1314 opened a new pull request, #6326:
URL: https://github.com/apache/hadoop/pull/6326

   <!--
     Thanks for sending a pull request!
       1. If this is your first time, please read our contributor guidelines: 
https://cwiki.apache.org/confluence/display/HADOOP/How+To+Contribute
       2. Make sure your PR title starts with JIRA issue id, e.g., 
'HADOOP-17799. Your PR title ...'.
   -->
   
   ### Description of PR
   
   - In a Kerberos environment, the namenode cannot fetch editlog from 
journalnode because the request is rejected (403). 
   
![image-2023-12-05-20-59-33-728](https://github.com/apache/hadoop/assets/22268305/f19c2518-3fa9-4ceb-8570-63b0b38f682a)
   
   - GetJournalEditServlet checks if the request's username meets the 
requirements through the isValidRequestor function. After 
[HDFS-16686](https://issues.apache.org/jira/browse/HDFS-16686) is merged, 
remotePrincipal becomes ugi.getUserName().
   
   - In a Kerberos environment, ugi.getUserName() gets the 
request.getRemoteUser() via DfsServlet's getUGI to get the username, and this 
username is not a full name.
   
   - Therefore, the obtained username is similar to namenode01 instead of 
namenode01/host01@@REALM.TLD, which meansit fails to pass the isValidRequestor 
check. 
   
![image-2023-12-05-21-05-49-180](https://github.com/apache/hadoop/assets/22268305/1a50c620-c8a3-4499-bdfe-2b064b709d9f)
   
   
   **reproduction**
   
   - In the TestGetJournalEditServlet add testSecurityRequestNameNode
   ```
   @Test
   public void testSecurityRequestNameNode() throws IOException, 
ServletException {
     // Test: Make a request from a namenode
     CONF.set(HADOOP_SECURITY_AUTHENTICATION, "kerberos");
     UserGroupInformation.setConfiguration(CONF);
     
     HttpServletRequest request = mock(HttpServletRequest.class);
       
when(request.getParameter(UserParam.NAME)).thenReturn("nn/localh...@realm.tld");
     when(request.getRemoteUser()).thenReturn("jn");
     boolean isValid = SERVLET.isValidRequestor(request, CONF);
     
     assertThat(isValid).isTrue();
   } 
   ```
   
   
   
   ### How was this patch tested?
   
   
   ### For code changes:
   
   - [x] Does the title or this PR starts with the corresponding JIRA issue id 
(e.g. 'HADOOP-17799. Your PR title ...')?
   - [ ] Object storage: have the integration tests been executed and the 
endpoint declared according to the connector-specific documentation?
   - [ ] If adding new dependencies to the code, are these dependencies 
licensed in a way that is compatible for inclusion under [ASF 
2.0](http://www.apache.org/legal/resolved.html#category-a)?
   - [ ] If applicable, have you updated the `LICENSE`, `LICENSE-binary`, 
`NOTICE-binary` files?
   
   




> The nn fetch editlog forbidden in kerberos environment
> ------------------------------------------------------
>
>                 Key: HDFS-17276
>                 URL: https://issues.apache.org/jira/browse/HDFS-17276
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: qjm, security
>    Affects Versions: 3.3.5, 3.3.6
>            Reporter: kuper
>            Priority: Major
>         Attachments: image-2023-12-06-20-21-03-557.png, 
> image-2023-12-06-20-21-46-825.png
>
>
> * In a Kerberos environment, the namenode cannot fetch editlog from 
> journalnode because the request is rejected (403). 
> !image-2023-12-06-20-21-03-557.png!
>  * GetJournalEditServlet checks if the request's username meets the 
> requirements through the isValidRequestor function. After HDFS-16686 is 
> merged, remotePrincipal becomes ugi.getUserName().
>  * In a Kerberos environment, ugi.getUserName() gets the 
> request.getRemoteUser() via DfsServlet's getUGI to get the username, and this 
> username is not a full name.
>  * Therefore, the obtained username is similar to namenode01 instead of 
> namenode01/host01@@REALM.TLD, which meansit fails to pass the 
> isValidRequestor check. !image-2023-12-06-20-21-46-825.png!
> *reproduction*
>  * In the TestGetJournalEditServlet add testSecurityRequestNameNode
> {code:java}
> @Test
> public void testSecurityRequestNameNode() throws IOException, 
> ServletException {
>   // Test: Make a request from a namenode
>   CONF.set(HADOOP_SECURITY_AUTHENTICATION, "kerberos");
>   UserGroupInformation.setConfiguration(CONF);
>   
>   HttpServletRequest request = mock(HttpServletRequest.class);
>     
> when(request.getParameter(UserParam.NAME)).thenReturn("nn/localh...@realm.tld");
>   when(request.getRemoteUser()).thenReturn("jn");
>   boolean isValid = SERVLET.isValidRequestor(request, CONF);
>   
>   assertThat(isValid).isTrue();
> } {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org