You are viewing a plain text version of this content. The canonical link for it is here.

Posted to hdfs-dev@hadoop.apache.org by "Jihyun Cho (JIRA)" <ji...@apache.org> on 2019/03/18 10:56:00 UTC

[jira] [Created] (HDFS-14375) DataNode cannot serve BlockPool to multiple NameNodes in the different realm

Jihyun Cho created HDFS-14375:
---------------------------------

             Summary: DataNode cannot serve BlockPool to multiple NameNodes in the different realm
                 Key: HDFS-14375
                 URL: https://issues.apache.org/jira/browse/HDFS-14375
             Project: Hadoop HDFS
          Issue Type: Bug
          Components: security
    Affects Versions: 3.1.1
            Reporter: Jihyun Cho
         Attachments: authorize.patch

Let me explain the environment for a description.

{noformat}
KDC(TEST1.COM) <-- Cross-realm trust -->  KDC(TEST2.COM)
   |                                         |
NameNode1                                 NameNode2
   |                                         |
   ---------- DataNodes (federated) ----------
{noformat}

We configured the secure clusters and federated them.
But DataNodes could not connect to NameNode1 with below error.

{noformat}
WARN SecurityLogger.org.apache.hadoop.security.authorize.ServiceAuthorizationManager: Authorization failed for dn/hadoop-datanode.test.com@TEST2.COM (auth:KERBEROS) for protocol=interface org.apache.hadoop.hdfs.server.protocol.DatanodeProtocol: this service is only accessible by dn/hadoop-datanode.test.com@TEST1.COM
{noformat}

We have avoided the error with attached patch.
The patch checks only using {{username}} and {{hostname}} except {{realm}}.
I think there is no problem. Because if realms are different and no cross-realm setting, they cannot communication each other. If you are worried about this, please let me know.

In the long run, it would be better if I could set multiple realms for authorize. Like this;

{noformat}
<property>
  <name>dfs.namenode.kerberos.trust-realms</name>
  <value>TEST1.COM,TEST2.COM</value>
</property>
{noformat}




--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-dev-help@hadoop.apache.org