You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Kan Zhang (JIRA)" <ji...@apache.org> on 2011/01/13 23:48:45 UTC

[jira] Updated: (HADOOP-7104) Remove unnecessary DNS reverse lookups from RPC layer

     [ https://issues.apache.org/jira/browse/HADOOP-7104?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Kan Zhang updated HADOOP-7104:
------------------------------

    Attachment: c7104-01.patch

Attaching a patch that 

1 . Passes InetAddress of the client to the authorization layer instead of hostname. The reverse lookup from InetAddress to hostname is done only when necessary. 

2. Added a supporting utility method for substituting "_HOST" that takes InetAddress instead of String. 

3. Reverting the principal name checking from using shortname back to using full kerberos principal name. Using the shortname, one can't check the hostname part, i.e., whether the connection is coming from a host that the Kerberos key is supposed to be used on.

> Remove unnecessary DNS reverse lookups from RPC layer
> -----------------------------------------------------
>
>                 Key: HADOOP-7104
>                 URL: https://issues.apache.org/jira/browse/HADOOP-7104
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: ipc, security
>            Reporter: Kan Zhang
>            Assignee: Kan Zhang
>         Attachments: c7104-01.patch
>
>
> RPC connection authorization needs to verify client's Kerberos principal name matches what specified for the protocol. For service clients like DN's, their Kerberos principal names can be specified in the form of  "datanode/_HOST@DOMAIN.COM". To get the expected
> client principal name, the server needs to substitute "_HOST" with the client's fully qualified domain name, which requires a reverse DNS lookup from client IP address. However, for connections from clients whose principal name are either unspecified or specified not using the "_HOST" convention, the substitution is not required and the reverse DNS lookup should be avoided. Currently the reverse DNS lookup is done for all clients, which could slow services like NN down, when local named cache is not available.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.