[
https://issues.apache.org/jira/browse/HADOOP-12911?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15221347#comment-15221347
]
Kai Zheng commented on HADOOP-12911:
------------------------------------
Some comments:
1. Much cleaned now in pom.xml files. An issue was noted:
{code}
+ <dependency>
+ <groupId>org.apache.kerby</groupId>
+ <artifactId>kerb-simplekdc</artifactId>
+ <version>1.0.0-RC2</version>
+ <exclusions>
+ <exclusion>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bcprov-jdk15on</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
{code}
The RC2 release of Kerby relied on bouncycastle in mistake, and the dependency
will be cleaned up in the next release. Could you fire an issue to mark this as
a follow-on, once the new Kerby release is available, then this can be cleaned
up accordingly?
2. In {{TestKMS}}, looks like the following change isn't relevant.
{noformat}
- conf.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 64);
+ conf.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 128);
{noformat}
3. Not sure why the following are removed. Are you sure the two configurations
are not usable? The krb5.conf item can be set in case tests will rely on the
env variable; the debug one can be set by tests to allow verbose output or not.
{noformat}
- * MiniKdc sets 2 System properties when started and un-sets them when stopped:
- * <ul>
- * <li>java.security.krb5.conf: set to the MiniKDC real/host/port</li>
- * <li>sun.security.krb5.debug: set to the debug value provided in the
- * configuration</li>
- * </ul>
{noformat}
4. In MiniKDC, why it needs resetDefaultRealm? I thought the desired realm can
be set previously, then SimpleKDC will take care of it.
5. I think Kerby SimpleKDC can be improved to do the synchronized in itself,
rather than let MiniKDC bother to do it.
{code}
+ synchronized (this) {
+ simpleKdc.createPrincipals(principals);
+ }
{code}
> Upgrade Hadoop MiniKDC with Kerby
> ---------------------------------
>
> Key: HADOOP-12911
> URL: https://issues.apache.org/jira/browse/HADOOP-12911
> Project: Hadoop Common
> Issue Type: Improvement
> Components: test
> Reporter: Jiajia Li
> Assignee: Jiajia Li
> Attachments: HADOOP-12911-v1.patch, HADOOP-12911-v2.patch,
> HADOOP-12911-v3.patch, HADOOP-12911-v4.patch, HADOOP-12911-v5.patch
>
>
> As discussed in the mailing list, we’d like to introduce Apache Kerby into
> Hadoop. Initially it’s good to start with upgrading Hadoop MiniKDC with Kerby
> offerings. Apache Kerby (https://github.com/apache/directory-kerby), as an
> Apache Directory sub project, is a Java Kerberos binding. It provides a
> SimpleKDC server that borrowed ideas from MiniKDC and implemented all the
> facilities existing in MiniKDC. Currently MiniKDC depends on the old Kerberos
> implementation in Directory Server project, but the implementation is stopped
> being maintained. Directory community has a plan to replace the
> implementation using Kerby. MiniKDC can use Kerby SimpleKDC directly to avoid
> depending on the full of Directory project. Kerby also provides nice identity
> backends such as the lightweight memory based one and the very simple json
> one for easy development and test environments.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
