Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HDFS-4043. Namenode Kerberos Login does not use proper hostname for host qualified hdfs principal name. #4693

Merged
merged 8 commits into from
Aug 17, 2022
Merged

HDFS-4043. Namenode Kerberos Login does not use proper hostname for host qualified hdfs principal name. #4693

merged 8 commits into from
Aug 17, 2022

Conversation

snmvaughan
Copy link
Contributor

Description of PR

Perform a DNS reverse name lookup when getCanonicalHost() returns the IP address as a string. The standard InetAddress getCanonicalHostName() has the following issues:

  1. It reports any cached value if exists
  2. It returns the IP address if it is unable to resolve a canonical name
  3. It caches any returned values, which would include the IP address as a string

How was this patch tested?

An HA configuration was deployed to Kubernetes, running Java 11. All services startup as expected. Performing a rolling restart of the JournalNodes caused failures when the NameNode communicated with the newly started JournalNode, reporting an exception that included a principal with the IP address instead of the canonical host name.

Performing the same activity after applying the patch succeeds as the DNS reverse lookup is performed to acquire the correct calculated principal.

For code changes:

  • Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'HADOOP-17799. Your PR title ...')?
  • Object storage: have the integration tests been executed and the endpoint declared according to the connector-specific documentation?
  • If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
  • If applicable, have you updated the LICENSE, LICENSE-binary, NOTICE-binary files?

@snmvaughan
Copy link
Contributor Author

The InetAddressUtils class in this patch will also be used to address HDFS-16685. Once this patch is accepted, I'll create the pull request for HDFS-16685.

ndimiduk
ndimiduk requested changes Aug 8, 2022
View reviewed changes
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/net/InetAddressUtils.java Outdated Show resolved Hide resolved
...p-common-project/hadoop-common/src/test/java/org/apache/hadoop/net/TestInetAddressUtils.java Outdated
localhost.getAddress());

// Precondition: host name and canonical host name for unresolved returns an IP address.
assertEquals(localhost.getHostAddress(), unresolved.getHostName());
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The behavior of this test will vary based on the dns environment at the time it's run. At the very least, you can make this an assume statement so that the test will make no assertions when the environmental conditions are inappropriate.

For more rigorous testing, it seems like mocking of a static method becomes possible as of Mockito 3.4.0. Alternatively, I wonder if you can create an environment where you manipulate the property jdk.net.hosts.file and provide a file that you populate for the duration of the test.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I should specify. At least in OpenJDK11, in the InetAddress class, there's a private static NameService createNameService() that makes use of this property. I don't know if this is formally documented someplace on the JVM.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're still support Java 8, so I avoided using Java 11 classes.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm yes, I see no mention of jdk.net.hosts.file in the InetAddress of OpenJDK8.

ndimiduk
ndimiduk approved these changes Aug 12, 2022
View reviewed changes
Copy link
Member

@ndimiduk ndimiduk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for updating the visibility annotation.

Steve Vaughan Jr added 5 commits August 12, 2022 14:55
HDFS-4043. Namenode Kerberos Login does not use proper hostname for h…
857096a 
…ost qualified hdfs principal name.

Perform a DNS reverse name lookup when getCanonicalHost() returns the IP address as a string.
Add the unit test and license information
555f0ce
Update unit test to be more portable
11a3bac 
Since the core of the problem relates to DNS interactions with private fields inside of Java language classes, this test can only verify that externally a request for a canonical host name works.
Add audience and stability annotations
9507a5e
Switch to existing DomainNameResolver framework
d14eeba 
Instead of introducing a new utility class (i.e. InetAddressUtils) switch to using the existing pluggable framework for DomainNameResolver.

Update default implementation DNSDomainNameResolver to protected against returning the IP address as a string from a cached value.
@sunchao
Copy link
Member

sunchao commented Aug 12, 2022

cc @fengnanli @goiri since you authored the original code

sunchao
sunchao approved these changes Aug 12, 2022
View reviewed changes
Copy link
Member

@sunchao sunchao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me.

...-common-project/hadoop-common/src/main/java/org/apache/hadoop/net/DNSDomainNameResolver.java Outdated Show resolved Hide resolved
@hadoop-yetus
Copy link

💔 -1 overall

Vote Subsystem Runtime Logfile Comment
+0 🆗 reexec 1m 29s Docker mode activated.
_ Prechecks _
+1 💚 dupname 0m 0s No case conflicting files found.
+0 🆗 codespell 0m 1s codespell was not available.
+0 🆗 detsecrets 0m 1s detect-secrets was not available.
+0 🆗 xmllint 0m 1s xmllint was not available.
+1 💚 @author 0m 0s The patch does not contain any @author tags.
+1 💚 test4tests 0m 0s The patch appears to include 1 new or modified test files.
_ trunk Compile Tests _
+1 💚 mvninstall 44m 12s trunk passed
+1 💚 compile 28m 31s trunk passed with JDK Private Build-11.0.15+10-Ubuntu-0ubuntu0.20.04.1
+1 💚 compile 23m 42s trunk passed with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
+1 💚 checkstyle 1m 38s trunk passed
+1 💚 mvnsite 2m 10s trunk passed
+1 💚 javadoc 1m 38s trunk passed with JDK Private Build-11.0.15+10-Ubuntu-0ubuntu0.20.04.1
+1 💚 javadoc 1m 5s trunk passed with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
+1 💚 spotbugs 3m 18s trunk passed
+1 💚 shadedclient 26m 34s branch has no errors when building and testing our client artifacts.
-0 ⚠️ patch 27m 0s Used diff version of patch file. Binary files and potentially other changes not applied. Please rebase and squash commits if necessary.
_ Patch Compile Tests _
+1 💚 mvninstall 1m 9s the patch passed
+1 💚 compile 24m 39s the patch passed with JDK Private Build-11.0.15+10-Ubuntu-0ubuntu0.20.04.1
+1 💚 javac 24m 39s the patch passed
+1 💚 compile 22m 7s the patch passed with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
+1 💚 javac 22m 7s the patch passed
+1 💚 blanks 0m 1s The patch has no blanks issues.
-0 ⚠️ checkstyle 1m 31s /results-checkstyle-hadoop-common-project_hadoop-common.txt hadoop-common-project/hadoop-common: The patch generated 2 new + 92 unchanged - 0 fixed = 94 total (was 92)
+1 💚 mvnsite 2m 3s the patch passed
+1 💚 javadoc 1m 23s the patch passed with JDK Private Build-11.0.15+10-Ubuntu-0ubuntu0.20.04.1
+1 💚 javadoc 1m 7s the patch passed with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
-1 ❌ spotbugs 3m 7s /new-spotbugs-hadoop-common-project_hadoop-common.html hadoop-common-project/hadoop-common generated 1 new + 0 unchanged - 0 fixed = 1 total (was 0)
+1 💚 shadedclient 25m 56s patch has no errors when building and testing our client artifacts.
_ Other Tests _
+1 💚 unit 18m 21s hadoop-common in the patch passed.
+1 💚 asflicense 1m 18s The patch does not generate ASF License warnings.
237m 46s
Reason Tests
SpotBugs module:hadoop-common-project/hadoop-common
Possible null pointer dereference of host in org.apache.hadoop.net.DNSDomainNameResolver.getHostnameByIP(InetAddress) Dereferenced at DNSDomainNameResolver.java:host in org.apache.hadoop.net.DNSDomainNameResolver.getHostnameByIP(InetAddress) Dereferenced at DNSDomainNameResolver.java:[line 53]
Subsystem Report/Notes
Docker ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-4693/7/artifact/out/Dockerfile
GITHUB PR #4693
Optional Tests dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient spotbugs checkstyle codespell detsecrets xmllint
uname Linux cae38b3d31dd 4.15.0-175-generic #184-Ubuntu SMP Thu Mar 24 17:48:36 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality dev-support/bin/hadoop.sh
git revision trunk / e88831b
Default Java Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
Multi-JDK versions /usr/lib/jvm/java-11-openjdk-amd64:Private Build-11.0.15+10-Ubuntu-0ubuntu0.20.04.1 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
Test Results https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-4693/7/testReport/
Max. process+thread count 3067 (vs. ulimit of 5500)
modules C: hadoop-common-project/hadoop-common U: hadoop-common-project/hadoop-common
Console output https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-4693/7/console
versions git=2.25.1 maven=3.6.3 spotbugs=4.2.2
Powered by Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

@apache apache deleted a comment from hadoop-yetus Aug 13, 2022
@apache apache deleted a comment from hadoop-yetus Aug 13, 2022
@apache apache deleted a comment from hadoop-yetus Aug 13, 2022
@apache apache deleted a comment from hadoop-yetus Aug 13, 2022
@apache apache deleted a comment from hadoop-yetus Aug 13, 2022
@apache apache deleted a comment from hadoop-yetus Aug 13, 2022
Avoid SpotBugs warning
31572d6 
 SpotBugs is concerned that getCanonicalHostName() may return null, although the JavaDocs indicate that it will return the IP address as a String if unable to determine the FQDN.  The only circumstance I can imagine where it would return null is if the IP address is null, which would mean a reverse lookup wouldn't work either.
@hadoop-yetus
Copy link

🎊 +1 overall

Vote Subsystem Runtime Logfile Comment
+0 🆗 reexec 0m 59s Docker mode activated.
_ Prechecks _
+1 💚 dupname 0m 0s No case conflicting files found.
+0 🆗 codespell 0m 1s codespell was not available.
+0 🆗 detsecrets 0m 1s detect-secrets was not available.
+0 🆗 xmllint 0m 1s xmllint was not available.
+1 💚 @author 0m 0s The patch does not contain any @author tags.
+1 💚 test4tests 0m 0s The patch appears to include 1 new or modified test files.
_ trunk Compile Tests _
+1 💚 mvninstall 42m 27s trunk passed
+1 💚 compile 26m 42s trunk passed with JDK Private Build-11.0.15+10-Ubuntu-0ubuntu0.20.04.1
+1 💚 compile 23m 59s trunk passed with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
+1 💚 checkstyle 1m 31s trunk passed
+1 💚 mvnsite 1m 58s trunk passed
+1 💚 javadoc 1m 31s trunk passed with JDK Private Build-11.0.15+10-Ubuntu-0ubuntu0.20.04.1
+1 💚 javadoc 1m 4s trunk passed with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
+1 💚 spotbugs 3m 3s trunk passed
+1 💚 shadedclient 27m 5s branch has no errors when building and testing our client artifacts.
-0 ⚠️ patch 27m 32s Used diff version of patch file. Binary files and potentially other changes not applied. Please rebase and squash commits if necessary.
_ Patch Compile Tests _
+1 💚 mvninstall 1m 6s the patch passed
+1 💚 compile 24m 32s the patch passed with JDK Private Build-11.0.15+10-Ubuntu-0ubuntu0.20.04.1
+1 💚 javac 24m 32s the patch passed
+1 💚 compile 21m 53s the patch passed with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
+1 💚 javac 21m 53s the patch passed
+1 💚 blanks 0m 0s The patch has no blanks issues.
-0 ⚠️ checkstyle 1m 25s /results-checkstyle-hadoop-common-project_hadoop-common.txt hadoop-common-project/hadoop-common: The patch generated 2 new + 92 unchanged - 0 fixed = 94 total (was 92)
+1 💚 mvnsite 1m 58s the patch passed
+1 💚 javadoc 1m 23s the patch passed with JDK Private Build-11.0.15+10-Ubuntu-0ubuntu0.20.04.1
+1 💚 javadoc 1m 5s the patch passed with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
+1 💚 spotbugs 3m 1s the patch passed
+1 💚 shadedclient 26m 32s patch has no errors when building and testing our client artifacts.
_ Other Tests _
+1 💚 unit 18m 22s hadoop-common in the patch passed.
+1 💚 asflicense 1m 17s The patch does not generate ASF License warnings.
233m 30s
Subsystem Report/Notes
Docker ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-4693/8/artifact/out/Dockerfile
GITHUB PR #4693
Optional Tests dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient spotbugs checkstyle codespell detsecrets xmllint
uname Linux bb8f8c1c3dfe 4.15.0-175-generic #184-Ubuntu SMP Thu Mar 24 17:48:36 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality dev-support/bin/hadoop.sh
git revision trunk / 31572d6
Default Java Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
Multi-JDK versions /usr/lib/jvm/java-11-openjdk-amd64:Private Build-11.0.15+10-Ubuntu-0ubuntu0.20.04.1 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
Test Results https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-4693/8/testReport/
Max. process+thread count 3144 (vs. ulimit of 5500)
modules C: hadoop-common-project/hadoop-common U: hadoop-common-project/hadoop-common
Console output https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-4693/8/console
versions git=2.25.1 maven=3.6.3 spotbugs=4.2.2
Powered by Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

@sunchao sunchao merged commit e40b3a3 into apache:trunk Aug 17, 2022
@sunchao
Copy link
Member

sunchao commented Aug 17, 2022

Thanks, merged to trunk

@snmvaughan snmvaughan deleted the feature/HDFS-4043 branch August 22, 2022 21:54
HarshitGupta11 pushed a commit to HarshitGupta11/hadoop that referenced this pull request Nov 28, 2022
@snmvaughan
HDFS-4043. Namenode Kerberos Login does not use proper hostname for h…
7dbc5f2 
…ost qualified hdfs principal name. (apache#4693)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ndimiduk ndimiduk ndimiduk approved these changes

@goiri goiri goiri left review comments

@sunchao sunchao sunchao approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
5 participants
@snmvaughan @sunchao @hadoop-yetus @ndimiduk @goiri