[
https://issues.apache.org/jira/browse/HDFS-17276?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
kuper updated HDFS-17276:
-------------------------
Description:
* In a Kerberos environment, the namenode cannot fetch editlog from journalnode
because the request is rejected (403). !image-2023-12-06-20-21-03-557.png!
* GetJournalEditServlet checks if the request's username meets the
requirements through the isValidRequestor function. After HDFS-16686 is merged,
remotePrincipal becomes ugi.getUserName().
* In a Kerberos environment, ugi.getUserName() gets the
request.getRemoteUser() via DfsServlet's getUGI to get the username, and this
username is not a full name.
* Therefore, the obtained username is similar to namenode01 instead of
namenode01/[email protected], which meansit fails to pass the isValidRequestor
check. !image-2023-12-06-20-21-46-825.png!
*reproduction*
* In the TestGetJournalEditServlet add testSecurityRequestNameNode
{code:java}
@Test
public void testSecurityRequestNameNode() throws IOException, ServletException {
// Test: Make a request from a namenode
CONF.set(HADOOP_SECURITY_AUTHENTICATION, "kerberos");
UserGroupInformation.setConfiguration(CONF);
HttpServletRequest request = mock(HttpServletRequest.class);
when(request.getParameter(UserParam.NAME)).thenReturn("nn/[email protected]");
when(request.getRemoteUser()).thenReturn("jn");
boolean isValid = SERVLET.isValidRequestor(request, CONF);
assertThat(isValid).isTrue();
} {code}
was:
* In a Kerberos environment, the namenode cannot fetch editlog from journalnode
because the request is rejected (403). !image-2023-12-06-20-21-03-557.png!
* GetJournalEditServlet checks if the request's username meets the
requirements through the isValidRequestor function. After HDFS-16686 is merged,
remotePrincipal becomes ugi.getUserName().
* In a Kerberos environment, ugi.getUserName() gets the
request.getRemoteUser() via DfsServlet's getUGI to get the username, and this
username is not a full name.
* Therefore, the obtained username is similar to namenode01 instead of
namenode01/host01@@REALM.TLD, which meansit fails to pass the isValidRequestor
check. !image-2023-12-06-20-21-46-825.png!
*reproduction*
* In the TestGetJournalEditServlet add testSecurityRequestNameNode
{code:java}
@Test
public void testSecurityRequestNameNode() throws IOException, ServletException {
// Test: Make a request from a namenode
CONF.set(HADOOP_SECURITY_AUTHENTICATION, "kerberos");
UserGroupInformation.setConfiguration(CONF);
HttpServletRequest request = mock(HttpServletRequest.class);
when(request.getParameter(UserParam.NAME)).thenReturn("nn/[email protected]");
when(request.getRemoteUser()).thenReturn("jn");
boolean isValid = SERVLET.isValidRequestor(request, CONF);
assertThat(isValid).isTrue();
} {code}
> The nn fetch editlog forbidden in kerberos environment
> ------------------------------------------------------
>
> Key: HDFS-17276
> URL: https://issues.apache.org/jira/browse/HDFS-17276
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: qjm, security
> Affects Versions: 3.3.5, 3.3.6
> Reporter: kuper
> Priority: Major
> Labels: pull-request-available
> Attachments: image-2023-12-06-20-21-03-557.png,
> image-2023-12-06-20-21-46-825.png
>
>
> * In a Kerberos environment, the namenode cannot fetch editlog from
> journalnode because the request is rejected (403).
> !image-2023-12-06-20-21-03-557.png!
> * GetJournalEditServlet checks if the request's username meets the
> requirements through the isValidRequestor function. After HDFS-16686 is
> merged, remotePrincipal becomes ugi.getUserName().
> * In a Kerberos environment, ugi.getUserName() gets the
> request.getRemoteUser() via DfsServlet's getUGI to get the username, and this
> username is not a full name.
> * Therefore, the obtained username is similar to namenode01 instead of
> namenode01/[email protected], which meansit fails to pass the isValidRequestor
> check. !image-2023-12-06-20-21-46-825.png!
> *reproduction*
> * In the TestGetJournalEditServlet add testSecurityRequestNameNode
> {code:java}
> @Test
> public void testSecurityRequestNameNode() throws IOException,
> ServletException {
> // Test: Make a request from a namenode
> CONF.set(HADOOP_SECURITY_AUTHENTICATION, "kerberos");
> UserGroupInformation.setConfiguration(CONF);
>
> HttpServletRequest request = mock(HttpServletRequest.class);
>
> when(request.getParameter(UserParam.NAME)).thenReturn("nn/[email protected]");
> when(request.getRemoteUser()).thenReturn("jn");
> boolean isValid = SERVLET.isValidRequestor(request, CONF);
>
> assertThat(isValid).isTrue();
> } {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
