You are viewing a plain text version of this content. The canonical link for it is here.

Posted to hdfs-issues@hadoop.apache.org by "Steve Vaughan (Jira)" <ji...@apache.org> on 2022/07/25 14:42:00 UTC

[jira] [Created] (HDFS-16686) GetJournalEditServlet fails to authorize valid Kerberos request

Steve Vaughan created HDFS-16686:
------------------------------------

             Summary: GetJournalEditServlet fails to authorize valid Kerberos request
                 Key: HDFS-16686
                 URL: https://issues.apache.org/jira/browse/HDFS-16686
             Project: Hadoop HDFS
          Issue Type: Improvement
          Components: journal-node
         Environment: Running in Kubernetes using Java 11 in an HA configuration.  JournalNodes run on separate pods and have their own Kerberos principal "jn/<hostname>@<realm>".
            Reporter: Steve Vaughan


GetJournalEditServlet uses request.getRemoteuser() to determine the remoteShortName for Kerberos authorization, which fails to match when the JournalNode uses its own Kerberos principal (e.g. jn/<hostname>@<realm>).

This can be fixed by using the UserGroupInformation provided by the base DfsServlet class using the getUGI(request, conf) call.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-help@hadoop.apache.org