You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Owen O'Malley (JIRA)" <ji...@apache.org> on 2010/07/10 02:03:50 UTC
[jira] Commented: (HADOOP-6647) balancer fails with "is not
authorized for protocol interface NamenodeProtocol" in secure environment
[ https://issues.apache.org/jira/browse/HADOOP-6647?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12886952#action_12886952 ]
Owen O'Malley commented on HADOOP-6647:
---------------------------------------
Allen,
The Namenode's configuration defines the mapping from long names to short names. It defaults to:
*@YOUR.DOMAIN -> *
With that mapping, someone coming in from another domain will fail, even with the cross-realm stuff set up.
hdfs@BAD.DOMAIN fails....
At Yahoo, we have two domains and we have rules for exactly how they map, but they amount to:
*@YGRID.YAHOO.COM -> *
*@CORP.YAHOO.COM -> *
So those two realms work, but anything else will fail. Depending on the translation that operations defines, they *can* make a cluster insecure.
joe@CORP.YAHOO.COM -> root
would be really convenient for joe, but not secure. *grin*
> balancer fails with "is not authorized for protocol interface NamenodeProtocol" in secure environment
> -----------------------------------------------------------------------------------------------------
>
> Key: HADOOP-6647
> URL: https://issues.apache.org/jira/browse/HADOOP-6647
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: Boris Shkolnik
> Assignee: Boris Shkolnik
> Attachments: HADOOP-6647-BP20.patch, HADOOP-6647.patch
>
>
> user logs in as hdfs/something@something and tries to run balancer.
> balancer is using NameNode Protocol which authorizes based on server principal key.
> but NameNode key is hdfs/_HOST@.. now. so it fails.
> To fix we need to compare the short names only.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.