Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

the dns_canonicalize_hostname value not being respected #321

Open
alanhe opened this issue Jun 6, 2023 · 0 comments
Open

the dns_canonicalize_hostname value not being respected #321

alanhe opened this issue Jun 6, 2023 · 0 comments

Comments

@alanhe
Copy link

alanhe commented Jun 6, 2023

According to the doc: https://web.mit.edu/kerberos/krb5-devel/doc/admin/princ_dns.html#service-principal-canonicalization

If dns_canonicalize_hostname is set to true (the default value), the client performs forward resolution by looking up the IPv4 and/or IPv6 addresses of the hostname using getaddrinfo(). This process will typically add a domain suffix to the hostname if needed, and follow CNAME records in the DNS.

When doing kerberos authentication, gokrb5 reads the dns_canonicalize_hostname value and set DNSCanonicalizeHostname to true (https://github.com/jcmturner/gokrb5/blob/master/v8/config/krb5conf.go#LL182C1-L182C1), but it's not read by github.com/colinmarc/hdfs/v2. The hdfs lib does Kerberos handshake with the name node hostnames in hdfs-site.xml, not resolving to their CNAMEs.

It bothers me when the name nodes are registered by their FQDNs, but their LB names are set in the hdfs-site.xml -- something I'm no able to change.

I can bypass the issue by running net.LookupCNAME to overwrite the ClientOptions.Addresses before initializing a client, but I think it will be great if it can be handled inside the lib.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant