[
https://issues.apache.org/jira/browse/IMPALA-7298?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16549376#comment-16549376
]
ASF subversion and git services commented on IMPALA-7298:
---------------------------------------------------------
Commit c7d2c2ec73a5e2073de22e10742faa0553c5018d in impala's branch
refs/heads/master from Michael Ho
[ https://git-wip-us.apache.org/repos/asf?p=impala.git;h=c7d2c2e ]
IMPALA-7298: Stop passing IP address as hostname in Kerberos principal
Previously, we pass the resolved IP address of a KRPC destination
host as the hostname when creating a proxy for making KRPC calls.
This may lead to connection negotiation failure in KRPC when Kerberos
is enabled. In particular, if reversed DNS isn't enabled in Kerberos,
KDC may fail to look up the principal of the destination host if the
principal includes the hostname instead of resolved IP address.
This change fixes the problem above by passing the actual hostname
of the destination host when calling RpcMgr::GetProxy().
rpc-mgr-kerberized-test.cc is also updated to use hostname
instead of the resolved IP address as Kerberos principal.
Change-Id: I3e3e978746cf03766eee151835aad5877d9ed63e
Reviewed-on: http://gerrit.cloudera.org:8080/10980
Reviewed-by: Impala Public Jenkins <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>
> Don't pass resolved IP address as hostname when creating proxy
> --------------------------------------------------------------
>
> Key: IMPALA-7298
> URL: https://issues.apache.org/jira/browse/IMPALA-7298
> Project: IMPALA
> Issue Type: Bug
> Components: Distributed Exec
> Affects Versions: Impala 2.12.0, Impala 3.1.0
> Reporter: Michael Ho
> Assignee: Michael Ho
> Priority: Critical
>
> {{KrpcDataStreamSender}} passes a resolved IP address when creating a proxy.
> Instead, we should pass both the resolved address and the hostname when
> creating the proxy so that we won't end up using the IP address as the
> hostname in the Kerberos principal.
> Due to the oversight above, the following error may show up when running a
> build of 2.12.0 when a user has Kerberos enabled and specified
> {{impala/<some-hostname>@<some-domain>}} as the kerberos principal.
> {noformat}
> WARNINGS: TransmitData() to X.X.X.X:27000 failed: Not authorized: Client
> connection negotiation failed: client connection to X.X.X.X:27000: Server
> impala/[email protected] not found in Kerberos database
> {noformat}
> The workaround for this problem is to have {{rdns=true}} in
> {{/etc/krb5.conf}}.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
