You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Eli Collins (JIRA)" <ji...@apache.org> on 2012/07/04 04:30:36 UTC
[jira] [Created] (HADOOP-8554) KerberosAuthenticator should use the
configured principal
Eli Collins created HADOOP-8554:
-----------------------------------
Summary: KerberosAuthenticator should use the configured principal
Key: HADOOP-8554
URL: https://issues.apache.org/jira/browse/HADOOP-8554
Project: Hadoop Common
Issue Type: Bug
Components: security
Affects Versions: 1.0.0
Reporter: Eli Collins
In KerberosAuthenticator we construct the principal as follows:
{code}
String servicePrincipal = "HTTP/" + KerberosAuthenticator.this.url.getHost();
{code}
Seems like we should use the configured hadoop.http.authentication.kerberos.principal instead right?
I hit this issue as a distcp using webhdfs://localhost fails because HTTP/localhost is not in the kerb DB but using webhdfs://eli-thinkpad works because HTTP/eli-thinkpad is (and is my configured principal). distcp using Hftp://localhost with the same config works so it looks like this check is webhdfs specific for some reason (webhdfs is using spnego and hftp is not?).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8554) KerberosAuthenticator should use
the configured principal
Posted by "Alejandro Abdelnur (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13409645#comment-13409645 ]
Alejandro Abdelnur commented on HADOOP-8554:
--------------------------------------------
Laxman, isn't HADOOP-8518 addressing your concern?
> KerberosAuthenticator should use the configured principal
> ---------------------------------------------------------
>
> Key: HADOOP-8554
> URL: https://issues.apache.org/jira/browse/HADOOP-8554
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 1.0.0, 2.0.0-alpha, 2.0.1-alpha, 3.0.0
> Reporter: Eli Collins
> Labels: security, webconsole
>
> In KerberosAuthenticator we construct the principal as follows:
> {code}
> String servicePrincipal = "HTTP/" + KerberosAuthenticator.this.url.getHost();
> {code}
> Seems like we should use the configured hadoop.http.authentication.kerberos.principal instead right?
> I hit this issue as a distcp using webhdfs://localhost fails because HTTP/localhost is not in the kerb DB but using webhdfs://eli-thinkpad works because HTTP/eli-thinkpad is (and is my configured principal). distcp using Hftp://localhost with the same config works so it looks like this check is webhdfs specific for some reason (webhdfs is using spnego and hftp is not?).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8554) KerberosAuthenticator should use
the configured principal
Posted by "Rajiv Chittajallu (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13406312#comment-13406312 ]
Rajiv Chittajallu commented on HADOOP-8554:
-------------------------------------------
tying to figure out SPN for multihomed systems is a matter of policy. For clusters, it simpler to generate it from the uri or make rDNS a requirement.
> KerberosAuthenticator should use the configured principal
> ---------------------------------------------------------
>
> Key: HADOOP-8554
> URL: https://issues.apache.org/jira/browse/HADOOP-8554
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 1.0.0
> Reporter: Eli Collins
>
> In KerberosAuthenticator we construct the principal as follows:
> {code}
> String servicePrincipal = "HTTP/" + KerberosAuthenticator.this.url.getHost();
> {code}
> Seems like we should use the configured hadoop.http.authentication.kerberos.principal instead right?
> I hit this issue as a distcp using webhdfs://localhost fails because HTTP/localhost is not in the kerb DB but using webhdfs://eli-thinkpad works because HTTP/eli-thinkpad is (and is my configured principal). distcp using Hftp://localhost with the same config works so it looks like this check is webhdfs specific for some reason (webhdfs is using spnego and hftp is not?).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8554) KerberosAuthenticator should use
the configured principal
Posted by "Laxman (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13406289#comment-13406289 ]
Laxman commented on HADOOP-8554:
--------------------------------
About to raise another issue and noticed.
We are also facing this problem in 2.0.1
bq. Seems like we should use the configured hadoop.http.authentication.kerberos.principal instead right?
I don't find this property in trunk. I think it's better to pass principal from the user of KerberosAuthenticator.
Any different opinion?
> KerberosAuthenticator should use the configured principal
> ---------------------------------------------------------
>
> Key: HADOOP-8554
> URL: https://issues.apache.org/jira/browse/HADOOP-8554
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 1.0.0
> Reporter: Eli Collins
>
> In KerberosAuthenticator we construct the principal as follows:
> {code}
> String servicePrincipal = "HTTP/" + KerberosAuthenticator.this.url.getHost();
> {code}
> Seems like we should use the configured hadoop.http.authentication.kerberos.principal instead right?
> I hit this issue as a distcp using webhdfs://localhost fails because HTTP/localhost is not in the kerb DB but using webhdfs://eli-thinkpad works because HTTP/eli-thinkpad is (and is my configured principal). distcp using Hftp://localhost with the same config works so it looks like this check is webhdfs specific for some reason (webhdfs is using spnego and hftp is not?).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-8554) KerberosAuthenticator should use the
configured principal
Posted by "Laxman (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8554?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Laxman updated HADOOP-8554:
---------------------------
Affects Version/s: 3.0.0
2.0.1-alpha
2.0.0-alpha
Labels: security webconsole (was: )
> KerberosAuthenticator should use the configured principal
> ---------------------------------------------------------
>
> Key: HADOOP-8554
> URL: https://issues.apache.org/jira/browse/HADOOP-8554
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 1.0.0, 2.0.0-alpha, 2.0.1-alpha, 3.0.0
> Reporter: Eli Collins
> Labels: security, webconsole
>
> In KerberosAuthenticator we construct the principal as follows:
> {code}
> String servicePrincipal = "HTTP/" + KerberosAuthenticator.this.url.getHost();
> {code}
> Seems like we should use the configured hadoop.http.authentication.kerberos.principal instead right?
> I hit this issue as a distcp using webhdfs://localhost fails because HTTP/localhost is not in the kerb DB but using webhdfs://eli-thinkpad works because HTTP/eli-thinkpad is (and is my configured principal). distcp using Hftp://localhost with the same config works so it looks like this check is webhdfs specific for some reason (webhdfs is using spnego and hftp is not?).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (HADOOP-8554) KerberosAuthenticator should use
the configured principal
Posted by "Eli Collins (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8554?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Eli Collins resolved HADOOP-8554.
---------------------------------
Resolution: Invalid
You're right, thanks for the explanation, I didn't realize the principal config was server-side only. Also, the reason I hit this with webhdfs and not hftp is that hftp doesn't support SPNEGO.
> KerberosAuthenticator should use the configured principal
> ---------------------------------------------------------
>
> Key: HADOOP-8554
> URL: https://issues.apache.org/jira/browse/HADOOP-8554
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 1.0.0, 2.0.0-alpha, 2.0.1-alpha, 3.0.0
> Reporter: Eli Collins
> Labels: security, webconsole
>
> In KerberosAuthenticator we construct the principal as follows:
> {code}
> String servicePrincipal = "HTTP/" + KerberosAuthenticator.this.url.getHost();
> {code}
> Seems like we should use the configured hadoop.http.authentication.kerberos.principal instead right?
> I hit this issue as a distcp using webhdfs://localhost fails because HTTP/localhost is not in the kerb DB but using webhdfs://eli-thinkpad works because HTTP/eli-thinkpad is (and is my configured principal). distcp using Hftp://localhost with the same config works so it looks like this check is webhdfs specific for some reason (webhdfs is using spnego and hftp is not?).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8554) KerberosAuthenticator should use
the configured principal
Posted by "Eli Collins (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13407283#comment-13407283 ]
Eli Collins commented on HADOOP-8554:
-------------------------------------
bq. I don't find this property in trunk. I think it's better to pass principal from the user of KerberosAuthenticator.
See AuthenticationFilterInitializer, this config name is constructed via the PREFIX variable.
> KerberosAuthenticator should use the configured principal
> ---------------------------------------------------------
>
> Key: HADOOP-8554
> URL: https://issues.apache.org/jira/browse/HADOOP-8554
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 1.0.0, 2.0.0-alpha, 2.0.1-alpha, 3.0.0
> Reporter: Eli Collins
> Labels: security, webconsole
>
> In KerberosAuthenticator we construct the principal as follows:
> {code}
> String servicePrincipal = "HTTP/" + KerberosAuthenticator.this.url.getHost();
> {code}
> Seems like we should use the configured hadoop.http.authentication.kerberos.principal instead right?
> I hit this issue as a distcp using webhdfs://localhost fails because HTTP/localhost is not in the kerb DB but using webhdfs://eli-thinkpad works because HTTP/eli-thinkpad is (and is my configured principal). distcp using Hftp://localhost with the same config works so it looks like this check is webhdfs specific for some reason (webhdfs is using spnego and hftp is not?).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8554) KerberosAuthenticator should use
the configured principal
Posted by "Laxman (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13409192#comment-13409192 ]
Laxman commented on HADOOP-8554:
--------------------------------
@Eli & Alejandro, IMHO this issue is valid.
On server side, there is a provision to configure a principal like "web/hadoop@MYREALM"
Here second component "hadoop" refers to my cluster/domain identifier but not the canonical hostname.
Also, Kerberos doesn't mandate to use hostname only.
So, I think this is a valid issue. Correct me if I'm missing something here.
Please refer to ZOOKEEPER-1467 for similar issue of client side hardcoding.
> KerberosAuthenticator should use the configured principal
> ---------------------------------------------------------
>
> Key: HADOOP-8554
> URL: https://issues.apache.org/jira/browse/HADOOP-8554
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 1.0.0, 2.0.0-alpha, 2.0.1-alpha, 3.0.0
> Reporter: Eli Collins
> Labels: security, webconsole
>
> In KerberosAuthenticator we construct the principal as follows:
> {code}
> String servicePrincipal = "HTTP/" + KerberosAuthenticator.this.url.getHost();
> {code}
> Seems like we should use the configured hadoop.http.authentication.kerberos.principal instead right?
> I hit this issue as a distcp using webhdfs://localhost fails because HTTP/localhost is not in the kerb DB but using webhdfs://eli-thinkpad works because HTTP/eli-thinkpad is (and is my configured principal). distcp using Hftp://localhost with the same config works so it looks like this check is webhdfs specific for some reason (webhdfs is using spnego and hftp is not?).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8554) KerberosAuthenticator should use
the configured principal
Posted by "Alejandro Abdelnur (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13408456#comment-13408456 ]
Alejandro Abdelnur commented on HADOOP-8554:
--------------------------------------------
@Eli, the line of code you point out happens on the client side, if your URL is of the form http://foohost/.... then the principal is created as 'HTTP/foohost'. There is a JIRAs to add support for kerberos name rules HADOOP-8518. IMO this JIRA is invalid.
> KerberosAuthenticator should use the configured principal
> ---------------------------------------------------------
>
> Key: HADOOP-8554
> URL: https://issues.apache.org/jira/browse/HADOOP-8554
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 1.0.0, 2.0.0-alpha, 2.0.1-alpha, 3.0.0
> Reporter: Eli Collins
> Labels: security, webconsole
>
> In KerberosAuthenticator we construct the principal as follows:
> {code}
> String servicePrincipal = "HTTP/" + KerberosAuthenticator.this.url.getHost();
> {code}
> Seems like we should use the configured hadoop.http.authentication.kerberos.principal instead right?
> I hit this issue as a distcp using webhdfs://localhost fails because HTTP/localhost is not in the kerb DB but using webhdfs://eli-thinkpad works because HTTP/eli-thinkpad is (and is my configured principal). distcp using Hftp://localhost with the same config works so it looks like this check is webhdfs specific for some reason (webhdfs is using spnego and hftp is not?).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira