You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Wei-Chiu Chuang (Jira)" <ji...@apache.org> on 2020/03/18 00:03:00 UTC
[jira] [Commented] (HADOOP-16454) Document how to share delegation
tokens between multiple HttpFS servers
[ https://issues.apache.org/jira/browse/HADOOP-16454?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17061264#comment-17061264 ]
Wei-Chiu Chuang commented on HADOOP-16454:
------------------------------------------
Hi [~aajisaka] any updates on this jira?
We recently had a user hitting this issue, and the below instruction made it work:
Under HDFS -> Configuration -> Role HTTPFS -> HttpFS Advanced Configuration Snippet (Safety Valve) for httpfs-site.xml
For example in the Sandbox environment, Add the following properties:
Under HDFS -> Configuration -> Role HTTPFS -> HttpFS Advanced Configuration Snippet (Safety Valve) for httpfs-site.xml
For example in the Sandbox environment, Add the following properties:
# description
[ property => value ]
# description: enable zookeeper token manager
httpfs.authentication.zk-dt-secret-manager.enable => true
# description: zookeeper servers
httpfs.authentication.zk-dt-secret-manager.zkConnectionString =
master-jgmq2s2.hadoop.ams5.tools:2181,master-jgqq2s2.hadoop.ams5.tools:2181,master-jgvn2s2.hadoop.ams5.tools:2181
# description: authType, either sasl, or none
httpfs.authentication.zk-dt-secret-manager.zkAuthType = sasl
# description: the kerberos principal of the load balancer
httpfs.authentication.zk-dt-secret-manager.kerberos.principal = <LB-Principal>
# description: the httpfs keytab
httpfs.authentication.zk-dt-secret-manager.kerberos.keytab = <HttpFs.keytab>
After making above changes, a restart would be require to make changes come into effect.
> Document how to share delegation tokens between multiple HttpFS servers
> -----------------------------------------------------------------------
>
> Key: HADOOP-16454
> URL: https://issues.apache.org/jira/browse/HADOOP-16454
> Project: Hadoop Common
> Issue Type: Improvement
> Components: documentation, httpfs
> Environment: Kerberized, clients connect to multiple HttpFS servers via load balancer
> Reporter: Akira Ajisaka
> Assignee: Akira Ajisaka
> Priority: Minor
>
> In our environment, multiple HttpFS servers are deployed for the clients outside the HDFS cluster. As we are using external load balancer service for the HttpFS servers, the following situation may happen:
> 1. A client authenticates with a HttpFS server and gets a delegation token. Using the delegation token, the client can access to the NameNode.
> 2. In the next session, the client authenticates with another HttpFS server (via load balancer) using the same delegation token. The client fails to access because the other HttpFS server does not have the information of the delegation token.
> This issue is to document how to fix this situation.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org