[
https://issues.apache.org/jira/browse/HADOOP-12676?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tianyin Xu updated HADOOP-12676:
--------------------------------
Description:
In the current implementation of {{SecurityUtil}}, we do not consider the
default keytab file of Kerberos (which is {{/etc/krb5.keytab}} in [MIT Kerberos
defaults|http://web.mit.edu/kerberos/krb5-1.13/doc/mitK5defaults.html#paths]).
If the user does not set the keytab file, an {{IOException}} will be thrown.
{code:title=SecurityUtil.java|borderStyle=solid}
230 public static void login(final Configuration conf,
231 final String keytabFileKey, final String userNameKey, String hostname)
232 throws IOException {
...
237 String keytabFilename = conf.get(keytabFileKey);
238 if (keytabFilename == null || keytabFilename.length() == 0) {
239 throw new IOException("Running in secure mode, but config doesn't
have a keytab");
240 }
{code}
However, the default keytab location is assumed by some of the callers. For
example, in
[{{yarn-default.xml}}|https://hadoop.apache.org/docs/r2.7.1/hadoop-yarn/hadoop-yarn-common/yarn-default.xml],
||property || default||
|yarn.resourcemanager.keytab | /etc/krb5.keytab
|yarn.nodemanager.keytab | /etc/krb5.keytab
|yarn.timeline-service.keytab | /etc/krb5.keytab
On the other hand, these callers directly call the {{SecurityUtil.login}}
method; therefore, the docs are incorrect that the defaults are actually
{{null}} (as we do not have a default)...
{code:title=NodeManager.java|borderStyle=solid}
protected void doSecureLogin() throws IOException {
SecurityUtil.login(getConfig(), YarnConfiguration.NM_KEYTAB,
YarnConfiguration.NM_PRINCIPAL);
}
{code}
I don't know if we should make {{/etc/krb5.keytab}} as the default in
{{SecurityUtil}}, or ask the callers to correct their assumptions. I post here
as a potential improvement.
Thanks!
was:
In the current implementation of {{SecurityUtil}}, we do not consider the
default keytab file of Kerberos (which is {{/etc/krb5.keytab}} in [MIT Kerberos
defaults|http://web.mit.edu/kerberos/krb5-1.13/doc/mitK5defaults.html#paths]).
If the user does not set the keytab file, an {{IOException}} will be thrown.
{code:title=SecurityUtil.java|borderStyle=solid}
230 public static void login(final Configuration conf,
231 final String keytabFileKey, final String userNameKey, String hostname)
232 throws IOException {
...
237 String keytabFilename = conf.get(keytabFileKey);
238 if (keytabFilename == null || keytabFilename.length() == 0) {
239 throw new IOException("Running in secure mode, but config doesn't
have a keytab");
240 }
{code}
However, the default keytab location is assumed by some of the callers. For
example, in
[{{yarn-default.xml}}|https://hadoop.apache.org/docs/r2.7.1/hadoop-yarn/hadoop-yarn-common/yarn-default.xml],
the defaults of {{yarn.resourcemanager.keytab}}, {{yarn.nodemanager.keytab}},
and {{yarn.timeline-service.keytab}} all point to {{/etc/krb5.keytab}}.
On the other hand, these callers directly call the {{SecurityUtil.login}}
method; therefore, the docs are incorrect that the defaults are actually
{{null}} (as we do not have a default)...
{code:title=NodeManager.java|borderStyle=solid}
protected void doSecureLogin() throws IOException {
SecurityUtil.login(getConfig(), YarnConfiguration.NM_KEYTAB,
YarnConfiguration.NM_PRINCIPAL);
}
{code}
I don't know if we should make {{/etc/krb5.keytab}} as the default in
{{SecurityUtil}}, or ask the callers to correct their assumptions. I post here
as a potential improvement.
Thanks!
> Consider the default keytab file of Kerberos
> --------------------------------------------
>
> Key: HADOOP-12676
> URL: https://issues.apache.org/jira/browse/HADOOP-12676
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 2.7.1, 2.6.2
> Reporter: Tianyin Xu
> Priority: Minor
>
> In the current implementation of {{SecurityUtil}}, we do not consider the
> default keytab file of Kerberos (which is {{/etc/krb5.keytab}} in [MIT
> Kerberos
> defaults|http://web.mit.edu/kerberos/krb5-1.13/doc/mitK5defaults.html#paths]).
> If the user does not set the keytab file, an {{IOException}} will be thrown.
> {code:title=SecurityUtil.java|borderStyle=solid}
> 230 public static void login(final Configuration conf,
> 231 final String keytabFileKey, final String userNameKey, String
> hostname)
> 232 throws IOException {
> ...
> 237 String keytabFilename = conf.get(keytabFileKey);
> 238 if (keytabFilename == null || keytabFilename.length() == 0) {
> 239 throw new IOException("Running in secure mode, but config doesn't
> have a keytab");
> 240 }
> {code}
> However, the default keytab location is assumed by some of the callers. For
> example, in
> [{{yarn-default.xml}}|https://hadoop.apache.org/docs/r2.7.1/hadoop-yarn/hadoop-yarn-common/yarn-default.xml],
> ||property || default||
> |yarn.resourcemanager.keytab | /etc/krb5.keytab
> |yarn.nodemanager.keytab | /etc/krb5.keytab
> |yarn.timeline-service.keytab | /etc/krb5.keytab
> On the other hand, these callers directly call the {{SecurityUtil.login}}
> method; therefore, the docs are incorrect that the defaults are actually
> {{null}} (as we do not have a default)...
> {code:title=NodeManager.java|borderStyle=solid}
> protected void doSecureLogin() throws IOException {
> SecurityUtil.login(getConfig(), YarnConfiguration.NM_KEYTAB,
> YarnConfiguration.NM_PRINCIPAL);
> }
> {code}
> I don't know if we should make {{/etc/krb5.keytab}} as the default in
> {{SecurityUtil}}, or ask the callers to correct their assumptions. I post
> here as a potential improvement.
> Thanks!
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
