[jira] [Updated] (HDFS-4794) Browsing filesystem via webui throws kerberos exception when NN service RPC is enabled in a secure cluster

Fri, 03 May 2013 10:22:16 -0700 

     [ 
https://issues.apache.org/jira/browse/HDFS-4794?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Benoy Antony updated HDFS-4794:
-------------------------------

    Attachment: HDFS-4794.patch

Root cause of the error :

The delegation token is stored in the UGI tokens (map) and keyed to NameNode's 
RPC Hostname and port (8020).
Datanode tries to connect to the NameNode Service RPC hostname  and port (8030) 
. When the Client on DataNode looks for a token , it looks for a  token keyed 
with to NameNode Service RPC hostname  and port (8030). It does not find a 
match and hence cannot use delegation token for authentication. It falls back 
to Kerberos authentication, but do not have TGT for the user.

The fix is to use the NameNode's RPC address  (NOT service RPC) when browsing 
directory/block/tail via web. Patch is attached.
 
This is not a problem in trunk since the NameNode passes its own RPC address as 
a URL parameter when browsing directory. But adopting that scheme requires more 
changes.
                
> Browsing filesystem via webui throws kerberos exception when NN service RPC 
> is enabled in a secure cluster
> ----------------------------------------------------------------------------------------------------------
>
>                 Key: HDFS-4794
>                 URL: https://issues.apache.org/jira/browse/HDFS-4794
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 1.1.2
>            Reporter: Benoy Antony
>            Assignee: Benoy Antony
>         Attachments: HDFS-4794.patch
>
>
> Browsing filesystem via webui throws kerberos exception when NN service RPC 
> is enabled in a secure cluster
> To reproduce this error, 
> Enable security 
> Enable serviceRPC by setting dfs.namenode.servicerpc-address and use a 
> different port than the rpc port.
> Click on "Browse the filesystem" on NameNode web.
> The following error will be shown :
> Call to NN001/12.123.123.01:8030 failed on local exception: 
> java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed 
> [Caused by GSSException: No valid credentials provided (Mechanism level: 
> Failed to find any Kerberos tgt)]

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to