Namenode hostname bindings for kerberos authentication are not fully-specified in docs

In https://ccp.cloudera.com/display/CDHDOC/Configuring+Hadoop+Security+in+CDH3 step 7 "Configure Secure HDFS", a number of bullet points specify the various binding addresses used by the namenode and datanode services when establishing Kerberos principals.

You specifically write, "When performing the _HOST substitution for the Kerberos principal names, the NameNode determines its own hostname based on the configured value of fs.default.name".

In practice, the NameNode actually authenticates twice. For purposes of dfs.name.dir directory ownership, it uses the hostname associated with fs.default.name. But the HTTP server actually pays attention to dfs.http.address. This is important for nodes that have multiple ethernet addresses with different FQDNs, and you want to choose a specific hostname to bind to.

Your example hdfs-site.xml configuration further down specifies dfs.https.address as "<hostname>:50470"; it should also explicitly specify dfs.http.address as "<hostname>:50070" for the purpose of strict hostname checking when binding to kerberos principals.