[
https://issues.apache.org/jira/browse/HDFS-5688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13853155#comment-13853155
]
Jing Zhao commented on HDFS-5688:
---------------------------------
Hi [~jucaf], I'm not a security expert. But looks like the error msg "No common
protection layer between client and server" is caused by different saslQOP
values on server (JournalNode) and client (NameNode) of the RPC protocol. Have
you set the same value of "hadoop.rpc.protection" (e.g., auth-conf) in your NNs
and all the JournalNodes?
> Wire-encription in QJM
> ----------------------
>
> Key: HDFS-5688
> URL: https://issues.apache.org/jira/browse/HDFS-5688
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: ha, journal-node, security
> Affects Versions: 2.2.0
> Reporter: Juan Carlos Fernandez
> Labels: security
>
> When HA is implemented with QJM and using kerberos, it's not possible to set
> wire-encrypted data.
> If it's set property hadoop.rpc.protection to something different to
> authentication it doesn't work propertly, getting the error:
> ERROR security.UserGroupInformation: PriviledgedActionException
> as:principal@REALM (auth:KERBEROS) cause:javax.security.sasl.SaslException:
> No common protection layer between client and server
> With NFS as shared storage everything works like a charm
--
This message was sent by Atlassian JIRA
(v6.1.4#6159)
