chendihao created HADOOP-16779:
----------------------------------
Summary: Support dynamic change Kerberos user and KDC to access
multiple Hadoop clusters
Key: HADOOP-16779
URL: https://issues.apache.org/jira/browse/HADOOP-16779
Project: Hadoop Common
Issue Type: Improvement
Components: security
Reporter: chendihao
Currently Hadoop relies on Kerberos to do authentication and authorization. For
single user, we can initialize clients with keytab files in command-line or
Java program.
But sometimes we need to access Hadoop as multiple users. For example, we build
the web service to view users' HDFS files. We have authorization to get user
name and use this user's keytab to login before requesting HDFS. However, this
doesn't work for multiple Hadoop clusters and multiple KDC.
Currently the only way to do that is enable cross-realm for these KDC. But in
some scenarios we can not change the configuration of KDC and want single
process to switch the Kerberos user on the fly without much overhead.
Here is the related discussion in StackOverflow:
*
[https://stackoverflow.com/questions/15126295/using-java-programmatically-log-in-multiple-kerberos-realms-with-different-keyta#|https://stackoverflow.com/questions/15126295/using-java-programmatically-log-in-multiple-kerberos-realms-with-different-keyta]
*
[https://stackoverflow.com/questions/57008499/data-transfer-between-two-kerberos-secured-cluster]
,
*
[https://stackoverflow.com/questions/22047145/hadoop-distcp-between-two-securedkerberos-clusters]
,
*
[https://stackoverflow.com/questions/39648106/access-two-secured-kerberos-hadoop-hbase-clusters-from-the-same-process]
*
[https://stackoverflow.com/questions/1437281/reload-kerberos-config-in-java-without-restarting-jvm]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-dev-h...@hadoop.apache.org
