[
https://issues.apache.org/jira/browse/HDDS-14064?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18051422#comment-18051422
]
Gargi Jaiswal commented on HDDS-14064:
--------------------------------------
The DN reconfiguration problem is because the `dfs.datanode.kerberos.principal`
property value is different in DN and Client side.
DN side *“dfs.datanode.kerberos.principal“* is configured to
*“dn/[email protected]”* in ozone-site.xml, but Client, it uses
{color:#de350b}ozone-site.xml{color} which doesn’t have this property
configured, so it fallback to the property in
{color:#de350b}hdfs-site.xml{color}, where *“dfs.datanode.kerberos.principal”*
value is {*}“hdfs/[email protected]“{*}.
Add “dfs.datanode.kerberos.principal” with value “dn/[email protected]” in
ozone-site.xml will solve the problem.
Its better if we have default value set for `hdds.datanode.kerberos.principal`.
> Missing default value for "hdds.datanode.kerberos.principal
> ------------------------------------------------------------
>
> Key: HDDS-14064
> URL: https://issues.apache.org/jira/browse/HDDS-14064
> Project: Apache Ozone
> Issue Type: Bug
> Reporter: Gargi Jaiswal
> Assignee: Gargi Jaiswal
> Priority: Major
>
> The configuration property
> {code:java}
> hdds.datanode.kerberos.principal{code}
> in *ozone-default.xml* has an empty default value, while similar properties
> for SCM and OM have defaults (SCM/_HOST@REALM and OM/_HOST@REALM
> respectively). This inconsistency can lead to configuration errors in secure
> Ozone clusters.
> *Current Behaviour:*
> {code:java}
> <property>
> <name>hdds.datanode.kerberos.principal</name>
> <value/> <!-- EMPTY -->
> <tag>OZONE, DATANODE</tag>
> <description>
> The Datanode service principal. This is typically set to
> dn/[email protected]. Each Datanode will substitute _HOST with its
> own fully qualified hostname at startup. The _HOST placeholder
> allows using the same configuration setting on all Datanodes.
> </description>
> </property> {code}
> This issue is identified when sending *DiskBalancer Commands* from client to
> DN in secure cluster.
> Without a default, users must manually set this value, leading to potential
> misconfiguration and should be enabled by default.
> Kerberos authentication fails with errors like:
> {code:java}
> Server has invalid Kerberos principal: dn/hostname@REALM, expecting:
> hdfs/hostname@REALM {code}
>
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
