Details
-
Type:
Bug
-
Status: Open
-
Priority:
Major
-
Resolution: Unresolved
-
Affects Version/s: None
-
Fix Version/s: None
-
Component/s: Hadoop Common
-
Labels:
-
Environment:Java: JDK > 7u79, or JDK >= 8
Description
Problem :
SPNEGO authentication fails with Kerberos cross-realm. SPNEGO is used for example also for HDFS High Availability, so HA cluster fails in such case.
Reported also in the community forum: SPNEGO-authentication-failure....
How to reproduce it :
- default realm in /etc/krb5.conf different from the realm of the service principals (for example: ICS.MUNI.CZ is realm of the host machine and service principals, META is default realm used for the Hadoop users in /etc/krb5.conf)
- JDK > 7u79, or JDK >= 8
- enable SPNEGO in web browser, visit https://SOME.NODE:50475
But once you have the authentication cookie (from other node with different Java version, krb5.conf, or fixed Hadoop), SPNEGO works even in that case on other nodes too.
How to fix it :
Apply HADOOP-12617.
HADOOP-12617 patch backported for CDH 5 is attached.
Quick test of the fix: for example for CDH 5.14.0: replace hadoop-auth-2.6.0-cdh514.0.jar by patched binary http://scientific.zcu.cz/repos/hadoop/MetaCentrum/hadoop-auth-2.6.0-cdh5.14.0.jar
We have the patch in production for two years (from CDH 5.5.1, on CDH 5.14.0 now), on Hadoop cluster 1 PB, with 24 nodes.
Can you consider to include HADOOP-12617 fix to CDH 5?