[
https://issues.apache.org/jira/browse/HDDS-14064?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Gargi Jaiswal updated HDDS-14064:
---------------------------------
Description:
{code:java}
{code}
The configuration property
{code:java}
hdds.datanode.kerberos.principal{code}
in *ozone-default.xml* has an empty default value, while similar properties
for SCM and OM have defaults (SCM/_HOST@REALM and OM/_HOST@REALM respectively).
This inconsistency can lead to configuration errors in secure Ozone clusters.
*Current Behaviour:*
{code:java}
<property>
<name>hdds.datanode.kerberos.principal</name>
<value/> <!-- EMPTY -->
<tag>OZONE, DATANODE</tag>
<description>
The Datanode service principal. This is typically set to
dn/[email protected]. Each Datanode will substitute _HOST with its
own fully qualified hostname at startup. The _HOST placeholder
allows using the same configuration setting on all Datanodes.
</description>
</property> {code}
When unset, it falls back to the deprecated
{color:#de350b}dfs.datanode.kerberos.principal{color} via
*OzoneConfiguration.java* deprecation handling. This causes DN
*reconfiguration* or *diskbalancer* command issues where:
* {*}DataNode side{*}: hdds.datanode.kerberos.principal is empty, so it falls
back {color:#de350b}dfs.datanode.kerberos.principal{color} is set to
{color:#de350b}dn/_HOST@REALM{color} in dn ozone-site.xml . This is handled
correctly due to deprecating keys.
* {*}Client side{*}: hdds.datanode.kerberos.principal is not set in client
side ozone-site.xml, so it falls back to
{color:#de350b}dfs.datanode.kerberos.principal{color} from
{color:#de350b}hdfs-site.xm{color}l (e.g., hdfs/_HOST@REALM)
The mismatch between dn/_HOST@... and hdfs/_HOST@... causes reconfiguration and
diskbalancer command to fail. Right now to make these commands work user need
to explicity set the value of property in the ozone-site.xml.
{code:java}
bash > ozone admin reconfig --service=DATANODE --in-service-datanodes properties
An error occurred while executing the command for :10.145.32.0:19864
java.lang.RuntimeException: java.io.IOException: DestHost:destPort
dn-host-1:19864 , LocalHost:localPort dn-host-1/10.145.32.0:0. Failed on local
exception: java.io.IOException: javax.security.sasl.SaslException: Bad Kerberos
server principal configuration
[Caused by java.lang.IllegalArgumentException: Server has invalid Kerberos
principal:dn/dn-host-1@REALM, expecting: hdfs/dn-host-1@REALM]
bash > ozone admin datanode diskbalancer start in-service-datanodes
An error occurred while executing the command for :10.145.32.0:19864
java.lang.RuntimeException: java.io.IOException: DestHost:destPort
dn-host-1:19864 , LocalHost:localPort dn-host-1/10.145.32.0:0. Failed on local
exception: java.io.IOException: javax.security.sasl.SaslException: Bad Kerberos
server principal configuration [Caused by java.lang.IllegalArgumentException:
Server has invalid Kerberos principal:dn/dn-host-1@REALM, expecting:
hdfs/dn-host-1@REALM]
{code}
was:
The configuration property
{code:java}
hdds.datanode.kerberos.principal{code}
in *ozone-default.xml* has an empty default value, while similar properties
for SCM and OM have defaults (SCM/_HOST@REALM and OM/_HOST@REALM respectively).
This inconsistency can lead to configuration errors in secure Ozone clusters.
*Current Behaviour:*
{code:java}
<property>
<name>hdds.datanode.kerberos.principal</name>
<value/> <!-- EMPTY -->
<tag>OZONE, DATANODE</tag>
<description>
The Datanode service principal. This is typically set to
dn/[email protected]. Each Datanode will substitute _HOST with its
own fully qualified hostname at startup. The _HOST placeholder
allows using the same configuration setting on all Datanodes.
</description>
</property> {code}
This issue is identified when sending *DiskBalancer Commands* from client to DN
in secure cluster.
Without a default, users must manually set this value, leading to potential
misconfiguration and should be enabled by default.
Kerberos authentication fails with errors like:
{code:java}
Server has invalid Kerberos principal: dn/hostname@REALM, expecting:
hdfs/hostname@REALM {code}
> Missing default value for "hdds.datanode.kerberos.principal
> ------------------------------------------------------------
>
> Key: HDDS-14064
> URL: https://issues.apache.org/jira/browse/HDDS-14064
> Project: Apache Ozone
> Issue Type: Bug
> Reporter: Gargi Jaiswal
> Assignee: Gargi Jaiswal
> Priority: Major
>
> {code:java}
> {code}
> The configuration property
> {code:java}
> hdds.datanode.kerberos.principal{code}
> in *ozone-default.xml* has an empty default value, while similar properties
> for SCM and OM have defaults (SCM/_HOST@REALM and OM/_HOST@REALM
> respectively). This inconsistency can lead to configuration errors in secure
> Ozone clusters.
> *Current Behaviour:*
> {code:java}
> <property>
> <name>hdds.datanode.kerberos.principal</name>
> <value/> <!-- EMPTY -->
> <tag>OZONE, DATANODE</tag>
> <description>
> The Datanode service principal. This is typically set to
> dn/[email protected]. Each Datanode will substitute _HOST with its
> own fully qualified hostname at startup. The _HOST placeholder
> allows using the same configuration setting on all Datanodes.
> </description>
> </property> {code}
>
> When unset, it falls back to the deprecated
> {color:#de350b}dfs.datanode.kerberos.principal{color} via
> *OzoneConfiguration.java* deprecation handling. This causes DN
> *reconfiguration* or *diskbalancer* command issues where:
> * {*}DataNode side{*}: hdds.datanode.kerberos.principal is empty, so it
> falls back {color:#de350b}dfs.datanode.kerberos.principal{color} is set to
> {color:#de350b}dn/_HOST@REALM{color} in dn ozone-site.xml . This is handled
> correctly due to deprecating keys.
> * {*}Client side{*}: hdds.datanode.kerberos.principal is not set in client
> side ozone-site.xml, so it falls back to
> {color:#de350b}dfs.datanode.kerberos.principal{color} from
> {color:#de350b}hdfs-site.xm{color}l (e.g., hdfs/_HOST@REALM)
> The mismatch between dn/_HOST@... and hdfs/_HOST@... causes reconfiguration
> and diskbalancer command to fail. Right now to make these commands work user
> need to explicity set the value of property in the ozone-site.xml.
>
> {code:java}
> bash > ozone admin reconfig --service=DATANODE --in-service-datanodes
> properties
> An error occurred while executing the command for :10.145.32.0:19864
> java.lang.RuntimeException: java.io.IOException: DestHost:destPort
> dn-host-1:19864 , LocalHost:localPort dn-host-1/10.145.32.0:0. Failed on
> local exception: java.io.IOException: javax.security.sasl.SaslException: Bad
> Kerberos server principal configuration
> [Caused by java.lang.IllegalArgumentException: Server has invalid Kerberos
> principal:dn/dn-host-1@REALM, expecting: hdfs/dn-host-1@REALM]
>
> bash > ozone admin datanode diskbalancer start in-service-datanodes
> An error occurred while executing the command for :10.145.32.0:19864
> java.lang.RuntimeException: java.io.IOException: DestHost:destPort
> dn-host-1:19864 , LocalHost:localPort dn-host-1/10.145.32.0:0. Failed on
> local exception: java.io.IOException: javax.security.sasl.SaslException: Bad
> Kerberos server principal configuration [Caused by
> java.lang.IllegalArgumentException: Server has invalid Kerberos
> principal:dn/dn-host-1@REALM, expecting: hdfs/dn-host-1@REALM]
> {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
