[jira] [Updated] (HDFS-3001) dfsadmin -refreshServiceAcl fails Kerb authentication with valid Kerb ticket, other subcommands succeed

Suresh Srinivas (Updated) (JIRA) Thu, 23 Feb 2012 10:15:14 -0800

     [ 
https://issues.apache.org/jira/browse/HDFS-3001?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Suresh Srinivas updated HDFS-3001:
----------------------------------

    Description: 
With a valid hdfs kerberos ticket, the dfsadmin subcommand '-refreshServiceAcl' 
still fails on Kerb authentication. Please see the comment for more details.


  was:
With a valid hdfs kerberos ticket, the dfsadmin subcommand '-refreshServiceAcl' 
still fails on Kerb authentication with
the following error:

bash-3.2$ /home/share/hadoop/bin/hdfs  --config /home/conf/hadoop/
dfsadmin -refreshServiceAcl
refreshServiceAcl: User hdfs/USER@DOMAIN (auth:KERBEROS) is not authorized for 
protocol
interface org.apache.hadoop.security.authorize.Refresh
AuthorizationPolicyProtocol, expected client Kerberos principal is null


However, other dfsadmin commands like '-printTopology', '-refreshNamenodes', 
'-safemode', '-report', which should use
the same privilege level, do not give authentication errors and work 
successfully:

-- kerb ticket --
bash-3.2$ klist -5
Ticket cache: FILE:/tmp/path/kbtickets/hdfs.kerberos.ticket
Default principal: hdfs/USER@DOMAIN

Valid starting     Expires            Service principal
01/18/12 23:59:53  01/19/12 23:59:53  krbtgt/USER@DOMAIN
        renew until 01/25/12 23:59:53

-- -printTopology subcommand --
bash-3.2$ /home/share/hadoop/bin/hdfs  --config /home/conf/hadoop/
dfsadmin -printTopology
Rack: /IPADDR1.0
   IPADDR2.43:1004 (HOST1.com)
   IPADDR3.44:1004 (HOST2.com)
   IPADDRn.60:1004 (HOSTn.com)

Rack: /default-rack
   HOSTr.com

-- -refreshNamenodes subcommand --
bash-3.2$ /home/share/hadoop/bin/hdfs --config /home/conf/hadoop/
dfsadmin  -fs hdfs://NNHOST:8020  -refreshNamenodes DNHOST:8020
bash-3.2$ echo $?
0

-- -safemode subcommand --
bash-3.2$ /home/share/hadoop/bin/hdfs --config /home/conf/hadoop/
dfsadmin  -fs hdfs://NNHOST:8020  -safemode get
Safe mode is OFF



With a valid hdfs kerberos ticket, the dfsadmin subcommand '-refreshServiceAcl' 
still fails on Kerb authentication with
the following error:

bash-3.2$ /home/share/hadoop/bin/hdfs --config /home/conf/hadoop/
dfsadmin -refreshServiceAcl
refreshServiceAcl: User hdfs/USER@DOMAIN (auth:KERBEROS) is not authorized for 
protocol
interface org.apache.hadoop.security.authorize.Refresh
AuthorizationPolicyProtocol, expected client Kerberos principal is null

However, other dfsadmin commands like '-printTopology', '-refreshNamenodes', 
'-safemode', '-report', which should use
the same privilege level, do not give authentication errors and work 
successfully:

- kerb ticket -
bash-3.2$ klist -5
Ticket cache: FILE:/tmp/path/kbtickets/hdfs.kerberos.ticket
Default principal: hdfs/USER@DOMAIN

Valid starting Expires Service principal
01/18/12 23:59:53 01/19/12 23:59:53 krbtgt/USER@DOMAIN
renew until 01/25/12 23:59:53

- -printTopology subcommand -
bash-3.2$ /home/share/hadoop/bin/hdfs --config /home/conf/hadoop/
dfsadmin -printTopology
Rack: /IPADDR1.0
IPADDR2.43:1004 (HOST1.com)
IPADDR3.44:1004 (HOST2.com)
IPADDRn.60:1004 (HOSTn.com)

Rack: /default-rack
HOSTr.com

- -refreshNamenodes subcommand -
bash-3.2$ /home/share/hadoop/bin/hdfs --config /home/conf/hadoop/
dfsadmin -fs hdfs://NNHOST:8020 -refreshNamenodes DNHOST:8020
bash-3.2$ echo $?
0

- -safemode subcommand -
bash-3.2$ /home/share/hadoop/bin/hdfs --config /home/conf/hadoop/
dfsadmin -fs hdfs://NNHOST:8020 -safemode get
Safe mode is OFF

                
> dfsadmin -refreshServiceAcl fails Kerb authentication with valid Kerb ticket, 
> other subcommands succeed
> -------------------------------------------------------------------------------------------------------
>
>                 Key: HDFS-3001
>                 URL: https://issues.apache.org/jira/browse/HDFS-3001
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: hdfs client
>    Affects Versions: 0.23.1
>            Reporter: patrick white
>
> With a valid hdfs kerberos ticket, the dfsadmin subcommand 
> '-refreshServiceAcl' still fails on Kerb authentication. Please see the 
> comment for more details.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Updated] (HDFS-3001) dfsadmin -refreshServiceAcl fails Kerb authentication with valid Kerb ticket, other subcommands succeed

Reply via email to