You are viewing a plain text version of this content. The canonical link for it is here.
Posted to hdfs-issues@hadoop.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2022/08/08 09:59:00 UTC

[jira] [Commented] (HDFS-4043) Namenode Kerberos Login does not use proper hostname for host qualified hdfs principal name.

    [ https://issues.apache.org/jira/browse/HDFS-4043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17576672#comment-17576672 ] 

ASF GitHub Bot commented on HDFS-4043:
--------------------------------------

ndimiduk commented on code in PR #4693:
URL: https://github.com/apache/hadoop/pull/4693#discussion_r940043984


##########
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/net/InetAddressUtils.java:
##########
@@ -0,0 +1,55 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.net;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.naming.NamingException;
+import java.net.InetAddress;
+
+public final class InetAddressUtils {

Review Comment:
   I believe that you need InterfaceAudience and InterfaceStability annotations on the new class.



##########
hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/net/TestInetAddressUtils.java:
##########
@@ -0,0 +1,48 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.net;
+
+import org.junit.Test;
+
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotEquals;
+
+
+public class TestInetAddressUtils {
+
+  @Test
+  public void testGetCanonicalHostName() throws UnknownHostException {
+    InetAddress localhost = InetAddress.getLocalHost();
+    InetAddress unresolved = InetAddress.getByAddress(localhost.getHostAddress(),
+        localhost.getAddress());
+
+    // Precondition: host name and canonical host name for unresolved returns an IP address.
+    assertEquals(localhost.getHostAddress(), unresolved.getHostName());

Review Comment:
   The behavior of this test will vary based on the dns environment at the time it's run. At the very least, you can make this an `assume` statement so that the test will make no assertions when the environmental conditions are inappropriate.
   
   For more rigorous testing, it seems like mocking of a static method becomes possible as of Mockito 3.4.0. Alternatively, I wonder if you can create an environment where you manipulate the property `jdk.net.hosts.file` and provide a file that you populate for the duration of the test.





> Namenode Kerberos Login does not use proper hostname for host qualified hdfs principal name.
> --------------------------------------------------------------------------------------------
>
>                 Key: HDFS-4043
>                 URL: https://issues.apache.org/jira/browse/HDFS-4043
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.0.0-alpha, 2.0.1-alpha, 2.0.2-alpha, 2.0.3-alpha
>         Environment: CDH4U1 on Ubuntu 12.04
>            Reporter: Ahad Rana
>            Priority: Major
>              Labels: pull-request-available
>   Original Estimate: 24h
>          Time Spent: 50m
>  Remaining Estimate: 23h 10m
>
> The Namenode uses the loginAsNameNodeUser method in NameNode.java to login using the hdfs principal. This method in turn invokes SecurityUtil.login with a hostname (last parameter) obtained via a call to InetAddress.getHostName. This call does not always return the fully qualified host name, and thus causes the namenode to login to fail due to kerberos's inability to find a matching hdfs principal in the hdfs.keytab file. Instead it should use InetAddress.getCanonicalHostName. This is consistent with what is used internally by SecurityUtil.java to login in other services, such as the DataNode. 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-help@hadoop.apache.org