-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: Include hdfs principal names in discovery ConfigMap (#451)
* fix: Include hdfs principal names in discovery ConfigMap * changelog * Apply suggestions from code review Co-authored-by: Siegfried Weber <[email protected]> --------- Co-authored-by: Siegfried Weber <[email protected]>
- Loading branch information
1 parent
f619a87
commit 1e4f5a2
Showing
6 changed files
with
92 additions
and
43 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -2,7 +2,10 @@ use stackable_hdfs_crd::{ | |
constants::{SSL_CLIENT_XML, SSL_SERVER_XML}, | ||
HdfsCluster, | ||
}; | ||
use stackable_operator::commons::product_image_selection::ResolvedProductImage; | ||
use stackable_operator::{ | ||
commons::product_image_selection::ResolvedProductImage, | ||
kube::{runtime::reflector::ObjectRef, ResourceExt}, | ||
}; | ||
|
||
use crate::{ | ||
config::{CoreSiteConfigBuilder, HdfsSiteConfigBuilder}, | ||
|
@@ -52,29 +55,14 @@ impl HdfsSiteConfigBuilder { | |
} | ||
|
||
impl CoreSiteConfigBuilder { | ||
pub fn security_config( | ||
&mut self, | ||
hdfs: &HdfsCluster, | ||
hdfs_name: &str, | ||
hdfs_namespace: &str, | ||
) -> &mut Self { | ||
pub fn security_config(&mut self, hdfs: &HdfsCluster) -> Result<&mut Self, Error> { | ||
if hdfs.authentication_config().is_some() { | ||
// For a long time we tried using `_HOST` in principals, e.g. `jn/[email protected]`. | ||
// Turns out there are a lot of code paths that check the principal of the requester using a reverse lookup of the incoming IP address | ||
// and getting a different hostname than the principal has. | ||
// What ultimately killed this approach was | ||
// | ||
// 2023-05-30 09:23:01,745 ERROR namenode.EditLogInputStream (EditLogFileInputStream.java:nextOpImpl(220)) - caught exception initializing https://hdfs-journalnode-default-1.hdfs-journalnode-default.kuttl-test-fine-rat.svc.cluster.local:8481/getJournal?jid=hdfs&segmentTxId=1&storageInfo=-65%3A595659877%3A1685437352616%3ACID-90c52400-5b07-49bf-bdbe-3469bbdc5ebb&inProgressOk=true | ||
// org.apache.hadoop.hdfs.server.common.HttpGetFailedException: Fetch of https://hdfs-journalnode-default-1.hdfs-journalnode-default.kuttl-test-fine-rat.svc.cluster.local:8481/getJournal?jid=hdfs&segmentTxId=1&storageInfo=-65%3A595659877%3A1685437352616%3ACID-90c52400-5b07-49bf-bdbe-3469bbdc5ebb&inProgressOk=true failed with status code 403 | ||
// Response message: | ||
// Only Namenode and another JournalNode may access this servlet | ||
// | ||
// After we have switched to using the following principals everything worked without problems | ||
let principal_host_part = principal_host_part(hdfs)?; | ||
|
||
let principal_host_part = | ||
format!("{hdfs_name}.{hdfs_namespace}.svc.cluster.local@${{env.KERBEROS_REALM}}"); | ||
self.add("hadoop.security.authentication", "kerberos") | ||
.add("hadoop.registry.kerberos.realm", "${env.KERBEROS_REALM}") | ||
// Not adding hadoop.registry.kerberos.realm, as it seems to not be used by our customers | ||
// and would need text-replacement of the env var anyway. | ||
// .add("hadoop.registry.kerberos.realm", "${env.KERBEROS_REALM}") | ||
.add( | ||
"dfs.journalnode.kerberos.principal", | ||
format!("jn/{principal_host_part}"), | ||
|
@@ -115,19 +103,58 @@ impl CoreSiteConfigBuilder { | |
|
||
self.add_wire_encryption_settings(); | ||
} | ||
self | ||
Ok(self) | ||
} | ||
|
||
pub fn security_discovery_config(&mut self, hdfs: &HdfsCluster) -> &mut Self { | ||
pub fn security_discovery_config(&mut self, hdfs: &HdfsCluster) -> Result<&mut Self, Error> { | ||
if hdfs.has_kerberos_enabled() { | ||
self.add("hadoop.security.authentication", "kerberos"); | ||
let principal_host_part = principal_host_part(hdfs)?; | ||
|
||
self.add("hadoop.security.authentication", "kerberos") | ||
.add( | ||
"dfs.journalnode.kerberos.principal", | ||
format!("jn/{principal_host_part}"), | ||
) | ||
.add( | ||
"dfs.namenode.kerberos.principal", | ||
format!("nn/{principal_host_part}"), | ||
) | ||
.add( | ||
"dfs.datanode.kerberos.principal", | ||
format!("dn/{principal_host_part}"), | ||
); | ||
self.add_wire_encryption_settings(); | ||
} | ||
self | ||
Ok(self) | ||
} | ||
|
||
fn add_wire_encryption_settings(&mut self) -> &mut Self { | ||
self.add("hadoop.rpc.protection", "privacy"); | ||
self | ||
} | ||
} | ||
|
||
/// For a long time we tried using `_HOST` in principals, e.g. `jn/[email protected]`. | ||
/// Turns out there are a lot of code paths that check the principal of the requester using a reverse lookup of the incoming IP address | ||
/// and getting a different hostname than the principal has. | ||
/// What ultimately killed this approach was | ||
/// | ||
/// ```text | ||
/// 2023-05-30 09:23:01,745 ERROR namenode.EditLogInputStream (EditLogFileInputStream.java:nextOpImpl(220)) - caught exception initializing https://hdfs-journalnode-default-1.hdfs-journalnode-default.kuttl-test-fine-rat.svc.cluster.local:8481/getJournal?jid=hdfs&segmentTxId=1&storageInfo=-65%3A595659877%3A1685437352616%3ACID-90c52400-5b07-49bf-bdbe-3469bbdc5ebb&inProgressOk=true | ||
/// org.apache.hadoop.hdfs.server.common.HttpGetFailedException: Fetch of https://hdfs-journalnode-default-1.hdfs-journalnode-default.kuttl-test-fine-rat.svc.cluster.local:8481/getJournal?jid=hdfs&segmentTxId=1&storageInfo=-65%3A595659877%3A1685437352616%3ACID-90c52400-5b07-49bf-bdbe-3469bbdc5ebb&inProgressOk=true failed with status code 403 | ||
/// Response message: | ||
/// Only Namenode and another JournalNode may access this servlet | ||
/// ``` | ||
/// | ||
/// After we have switched to using the following principals everything worked without problems | ||
fn principal_host_part(hdfs: &HdfsCluster) -> Result<String, Error> { | ||
let hdfs_name = hdfs.name_any(); | ||
let hdfs_namespace = hdfs | ||
.namespace_or_error() | ||
.map_err(|_| Error::ObjectHasNoNamespace { | ||
obj_ref: ObjectRef::from_obj(hdfs), | ||
})?; | ||
Ok(format!( | ||
"{hdfs_name}.{hdfs_namespace}.svc.cluster.local@${{env.KERBEROS_REALM}}" | ||
)) | ||
} |