Repository: hadoop Updated Branches: refs/heads/YARN-1051 f00e7af8a -> e82461be5
KMS: Support for multiple Kerberos principals. (tucu) Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/fad4cd85 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/fad4cd85 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/fad4cd85 Branch: refs/heads/YARN-1051 Commit: fad4cd85b313a1d2378adcf03cad67e946a12cd5 Parents: 52945a3 Author: Alejandro Abdelnur <t...@apache.org> Authored: Thu Sep 18 16:03:38 2014 -0700 Committer: Alejandro Abdelnur <t...@apache.org> Committed: Thu Sep 18 16:03:38 2014 -0700 ---------------------------------------------------------------------- hadoop-common-project/hadoop-common/CHANGES.txt | 2 ++ .../crypto/key/kms/KMSClientProvider.java | 3 +++ .../hadoop-kms/src/site/apt/index.apt.vm | 26 +++++++++++++++++++- 3 files changed, 30 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/fad4cd85/hadoop-common-project/hadoop-common/CHANGES.txt ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index 2e2d569..f21771b 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -834,6 +834,8 @@ Release 2.6.0 - UNRELEASED HADOOP-11105. MetricsSystemImpl could leak memory in registered callbacks. (Chuan Liu via cnauroth) + KMS: Support for multiple Kerberos principals. (tucu) + Release 2.5.1 - 2014-09-05 INCOMPATIBLE CHANGES http://git-wip-us.apache.org/repos/asf/hadoop/blob/fad4cd85/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java index 899b6c4..a97463a 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java @@ -45,6 +45,7 @@ import java.io.InputStream; import java.io.OutputStream; import java.io.OutputStreamWriter; import java.io.Writer; +import java.lang.reflect.UndeclaredThrowableException; import java.net.HttpURLConnection; import java.net.SocketTimeoutException; import java.net.URI; @@ -400,6 +401,8 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension, }); } catch (IOException ex) { throw ex; + } catch (UndeclaredThrowableException ex) { + throw new IOException(ex.getUndeclaredThrowable()); } catch (Exception ex) { throw new IOException(ex); } http://git-wip-us.apache.org/repos/asf/hadoop/blob/fad4cd85/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm b/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm index b2755a1..cf7a557 100644 --- a/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm +++ b/hadoop-common-project/hadoop-kms/src/site/apt/index.apt.vm @@ -602,7 +602,31 @@ $ keytool -genkey -alias tomcat -keyalg RSA *** HTTP Kerberos Principals Configuration - TBD + When KMS instances are behind a load-balancer or VIP, clients will use the + hostname of the VIP. For Kerberos SPNEGO authentication, the hostname of the + URL is used to construct the Kerberos service name of the server, + <<<HTTP/#HOSTNAME#>>>. This means that all KMS instances must have a Kerberos + service name with the load-balancer or VIP hostname. + + In order to be able to access directly a specific KMS instance, the KMS + instance must also have Keberos service name with its own hostname. This is + required for monitoring and admin purposes. + + Both Kerberos service principal credentials (for the load-balancer/VIP + hostname and for the actual KMS instance hostname) must be in the keytab file + configured for authentication. And the principal name specified in the + configuration must be '*'. For example: + ++---+ + <property> + <name>hadoop.kms.authentication.kerberos.principal</name> + <value>*</value> + </property> ++---+ + + <<NOTE:>> If using HTTPS, the SSL certificate used by the KMS instance must + be configured to support multiple hostnames (see Java 7 + <<<keytool>> SAN extension support for details on how to do this). *** HTTP Authentication Signature