HADOOP-12665. Document hadoop.security.token.service.use_ip. (#3187)

aajisaka · web-flow · commit c81f82e21d13 · 2021-07-12T10:16:13.000+09:00
Reviewed-by: Masatake Iwasaki &lt;iwasakims@apache.org&gt;
Reviewed-by: Chris Nauroth &lt;cnauroth@apache.org&gt;
diff --git a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
@@ -701,6 +701,27 @@
   </description>
 </property>
 
+  <property>
+    <name>hadoop.security.token.service.use_ip</name>
+    <value>true</value>
+    <description>
+      Controls whether tokens always use IP addresses.
+      DNS changes will not be detected if this option is enabled.
+      Existing client connections that break will always reconnect
+      to the IP of the original host. New clients will connect
+      to the host's new IP but fail to locate a token.
+      Disabling this option will allow existing and new clients
+      to detect an IP change and continue to locate the new host's token.
+
+      In secure multi-homed environments, this parameter will need to
+      be set to false on both cluster servers and clients (see HADOOP-7733).
+      If it is not set correctly, the symptom will be inability to
+      submit an application to YARN from an external client
+      (with error "client host not a member of the Hadoop cluster"),
+      or even from an in-cluster client if server failover occurs.
+    </description>
+  </property>
+
 <property>
   <name>hadoop.workaround.non.threadsafe.getpwuid</name>
   <value>true</value>
