You are viewing a plain text version of this content. The canonical link for it is here.
Posted to hdfs-dev@hadoop.apache.org by "Jihyun Cho (JIRA)" <ji...@apache.org> on 2019/03/18 10:56:00 UTC
[jira] [Created] (HDFS-14375) DataNode cannot serve BlockPool to
multiple NameNodes in the different realm
Jihyun Cho created HDFS-14375:
---------------------------------
Summary: DataNode cannot serve BlockPool to multiple NameNodes in the different realm
Key: HDFS-14375
URL: https://issues.apache.org/jira/browse/HDFS-14375
Project: Hadoop HDFS
Issue Type: Bug
Components: security
Affects Versions: 3.1.1
Reporter: Jihyun Cho
Attachments: authorize.patch
Let me explain the environment for a description.
{noformat}
KDC(TEST1.COM) <-- Cross-realm trust --> KDC(TEST2.COM)
| |
NameNode1 NameNode2
| |
---------- DataNodes (federated) ----------
{noformat}
We configured the secure clusters and federated them.
But DataNodes could not connect to NameNode1 with below error.
{noformat}
WARN SecurityLogger.org.apache.hadoop.security.authorize.ServiceAuthorizationManager: Authorization failed for dn/hadoop-datanode.test.com@TEST2.COM (auth:KERBEROS) for protocol=interface org.apache.hadoop.hdfs.server.protocol.DatanodeProtocol: this service is only accessible by dn/hadoop-datanode.test.com@TEST1.COM
{noformat}
We have avoided the error with attached patch.
The patch checks only using {{username}} and {{hostname}} except {{realm}}.
I think there is no problem. Because if realms are different and no cross-realm setting, they cannot communication each other. If you are worried about this, please let me know.
In the long run, it would be better if I could set multiple realms for authorize. Like this;
{noformat}
<property>
<name>dfs.namenode.kerberos.trust-realms</name>
<value>TEST1.COM,TEST2.COM</value>
</property>
{noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-dev-help@hadoop.apache.org