Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-16686

GetJournalEditServlet fails to authorize valid Kerberos request

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 3.4.0, 3.3.5
    • 3.4.0, 3.3.5
    • journal-node

    • Running in Kubernetes using Java 11 in an HA configuration.  JournalNodes run on separate pods and have their own Kerberos principal "jn/<hostname>@<realm>".

    • Reviewed

    Description

      GetJournalEditServlet uses request.getRemoteuser() to determine the remoteShortName for Kerberos authorization, which fails to match when the JournalNode uses its own Kerberos principal (e.g. jn/<hostname>@<realm>).

      This can be fixed by using the UserGroupInformation provided by the base DfsServlet class using the getUGI(request, conf) call.

      Attachments

        Issue Links

          is a child of

          Improvement - An improvement or enhancement to an existing feature or task. HADOOP-18396 Issues running in dynamic / managed environments

          • Major - Major loss of function.
          • In Progress
          links to

          Web Link GitHub Pull Request #4724

          Web Link GitHub Pull Request #4794

          Activity

            People

              svaughan Steve Vaughan
              svaughan Steve Vaughan
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: