You are viewing a plain text version of this content. The canonical link for it is here.
Posted to hdfs-issues@hadoop.apache.org by "Steve Vaughan (Jira)" <ji...@apache.org> on 2022/07/25 14:42:00 UTC
[jira] [Created] (HDFS-16686) GetJournalEditServlet fails to authorize valid Kerberos request
Steve Vaughan created HDFS-16686:
------------------------------------
Summary: GetJournalEditServlet fails to authorize valid Kerberos request
Key: HDFS-16686
URL: https://issues.apache.org/jira/browse/HDFS-16686
Project: Hadoop HDFS
Issue Type: Improvement
Components: journal-node
Environment: Running in Kubernetes using Java 11 in an HA configuration. JournalNodes run on separate pods and have their own Kerberos principal "jn/<hostname>@<realm>".
Reporter: Steve Vaughan
GetJournalEditServlet uses request.getRemoteuser() to determine the remoteShortName for Kerberos authorization, which fails to match when the JournalNode uses its own Kerberos principal (e.g. jn/<hostname>@<realm>).
This can be fixed by using the UserGroupInformation provided by the base DfsServlet class using the getUGI(request, conf) call.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-help@hadoop.apache.org