reverse resolve the namenode hostname for kerberos spn

Author: realityone

internal/rpc/kerberos.go

@@ -6,6 +6,7 @@ import (
 	"net"
 	"regexp"
 	"sort"
+	"strings"
 
 	hadoop "github.com/colinmarc/hdfs/v2/internal/protocol/hadoop_common"
 	"github.com/colinmarc/hdfs/v2/internal/sasl"
@@ -170,10 +171,32 @@ func (c *NamenodeConnection) readSaslResponse(expectedState hadoop.RpcSaslProto_
 	return resp, nil
 }
 
+func reverseResolve(host string) string {
+	addrs, err := net.LookupHost(host)
+	if err != nil {
+		return ""
+	}
+	for _, addr := range addrs {
+		names, err := net.LookupAddr(addr)
+		if err != nil {
+			continue
+		}
+		for _, name := range names {
+			return strings.TrimSuffix(name, ".")
+		}
+	}
+	return ""
+}
+
 // getKerberosTicket returns an initial kerberos negotiation token and the
 // paired session key, along with an error if any occured.
 func (c *NamenodeConnection) getKerberosTicket() (spnego.NegTokenInit, krbtypes.EncryptionKey, error) {
 	host, _, _ := net.SplitHostPort(c.host.address)
+	// Hadoop uses the reverse-resolved hostname for the SPN, so we do the same.
+	// https://github.com/apache/hadoop/blob/7a7db7f0dc4107f44b281eb834fdffc9fd9b08b3/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/DFSUtil.java#L445
+	if revHost := reverseResolve(host); revHost != "" {
+		host = revHost
+	}
 	spn := replaceSPNHostWildcard(c.kerberosServicePrincipleName, host)
 
 	ticket, key, err := c.kerberosClient.GetServiceTicket(spn)