You are viewing a plain text version of this content. The canonical link for it is here.

Posted to mapreduce-issues@hadoop.apache.org by "Hadoop QA (JIRA)" <ji...@apache.org> on 2010/07/30 07:08:16 UTC

[jira] Commented: (MAPREDUCE-1959) Should use long name for token renewer on the client side

    [ https://issues.apache.org/jira/browse/MAPREDUCE-1959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12893936#action_12893936 ] 

Hadoop QA commented on MAPREDUCE-1959:
--------------------------------------

-1 overall.  Here are the results of testing the latest attachment 
  http://issues.apache.org/jira/secure/attachment/12450193/m1959-01.patch
  against trunk revision 980316.

    +1 @author.  The patch does not contain any @author tags.

    -1 tests included.  The patch doesn't appear to include any new or modified tests.
                        Please justify why no new tests are needed for this patch.
                        Also please list what manual steps were performed to verify this patch.

    -1 patch.  The patch command could not apply the patch.

Console output: http://hudson.zones.apache.org/hudson/job/Mapreduce-Patch-h4.grid.sp2.yahoo.net/339/console

This message is automatically generated.

> Should use long name for token renewer on the client side
> ---------------------------------------------------------
>
>                 Key: MAPREDUCE-1959
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-1959
>             Project: Hadoop Map/Reduce
>          Issue Type: Bug
>          Components: job submission, security
>            Reporter: Kan Zhang
>            Assignee: Kan Zhang
>         Attachments: m1959-01.patch
>
>
> When getting a delegation token from a NN, a client needs to specify the renewer for the token. For use on a MapRed cluster, JT should be specified as the renewer. However, in the current code, the client maps JT's long name (Kerberos principal name) to cluster-internal short name and then sets the short name as the renewer. This is undesirable for 2 reasons. 1) It's unnecessary since NN (or JT) converts client-supplied renewer from long to short name anyway. 2) In principle, the mapping from long to short name should be done on the server. This is consistent with the authentication case, where the client uses the same long name to authenticate to multiple servers and servers map client's long name to their own internal short names. It facilitates using the same job client to get delegation tokens from multiple NN's, which may have different mapping rules for JT.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.