[jira] Commented: (HADOOP-6647) balancer fails with "is not authorized for protocol interface NamenodeProtocol" in secure environment

["Owen O'Malley (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/HADOOP-6647?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12886952#action_12886952 ] 

Owen O'Malley commented on HADOOP-6647:
---------------------------------------

Allen,

The Namenode's configuration defines the mapping from long names to short names. It defaults to:

*@YOUR.DOMAIN -> *

With that mapping, someone coming in from another domain will fail, even with the cross-realm stuff set up.

hdfs@BAD.DOMAIN fails....

At Yahoo, we have two domains and we have rules for exactly how they map, but they amount to:

*@YGRID.YAHOO.COM -> *
*@CORP.YAHOO.COM -> *

So those two realms work, but anything else will fail. Depending on the translation that operations defines, they *can* make a cluster insecure. 

joe@CORP.YAHOO.COM -> root

would be really convenient for joe, but not secure. *grin*


> balancer fails with "is not authorized for protocol interface NamenodeProtocol" in secure environment
> -----------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-6647
>                 URL: https://issues.apache.org/jira/browse/HADOOP-6647
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: Boris Shkolnik
>            Assignee: Boris Shkolnik
>         Attachments: HADOOP-6647-BP20.patch, HADOOP-6647.patch
>
>
> user logs in as hdfs/something@something and tries to run balancer.
> balancer is using NameNode Protocol which authorizes based on server principal key.
> but NameNode key is hdfs/_HOST@.. now. so it fails. 
> To fix we need to compare the short names only.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.