[
https://issues.apache.org/jira/browse/HDFS-3460?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alejandro Abdelnur updated HDFS-3460:
-------------------------------------
Attachment: HDFS-3460.patch
A kerberos principal is the full name, not the short name. The Java Principal
does not have an accessor to get the short principal. The patch tries to cast
the Java Principal to AuthenticationToken and if successful it extracts the
username which is the short principal.
I've tested this in a deployed setup with Kerberos and it works fine.
> HttpFS proxyuser validation with Kerberos ON uses full principal name
> ---------------------------------------------------------------------
>
> Key: HDFS-3460
> URL: https://issues.apache.org/jira/browse/HDFS-3460
> Project: Hadoop HDFS
> Issue Type: Bug
> Affects Versions: 2.0.0-alpha
> Reporter: Alejandro Abdelnur
> Assignee: Alejandro Abdelnur
> Priority: Critical
> Fix For: 2.0.1-alpha
>
> Attachments: HDFS-3460.patch
>
>
> The HttpFSServer.getEffectiveUser() method uses the principal name for proxy
> user verification. If the Kerberos is ON and the proxy user is a service
> principal (NAME/HOST) then the verification fails, instead the short name
> (just NAME) should be used.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
