How to add a new node to a secure cluster without namenode/jobtracker restart?

[Rainer Toebbicke <rt...@pclella.cern.ch>]

Hello,

How do you add a new datanode to a secure cluster, without restarting the namenode?

In order to prevent identity theft of mapred or hdfs, a secure cluster needs to carefully maintain 
auth_to_local in core-site.xml as far as I understand, typically with lines such as

RULE:[2:$1/$2@$0](.*/node@example.com@EXAMPLE.COM)s/^([a-zA-Z]*).*/$1/

where "node" is a member of the cluster. 


Now, if a new node appears, you change core-site.xml, but I didn't find anything that makes the namenode refresh what seems like an internal table.
At least "hdfs dfsadmin -refreshXXX" doesn't (XXX = {Nodes,ServiceAcl,UserToGroupsMappings,SuperUserGroupsConfiguration): the namenode continues to claim 
"Authorization failed" as it does not map "hdfs/node.example.com@EXAMPLE.COM" to hdfs. Until you restart it.
 
Same holds for the jobtracker.

Have I missed something?

(This is Hadoop 2.0.0, cdh4.3.0)