[jira] [Commented] (HADOOP-15440) Support kerberos principal name pattern for KerberosAuthenticationHandler

Thu, 01 Aug 2019 21:30:27 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-15440?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16898548#comment-16898548
 ] 

He Xiaoqiao commented on HADOOP-15440:
--------------------------------------

Thanks [~jojochuang] for getting this issue back,  [^HADOOP-15440.002.patch] 
try to fix checkstyle and pending Jenkins.
{quote}please make some examples in the summary so this is easier to 
understand.{quote}
When setup HttpFS server or KMS server in security mode, we should config the 
item `httpfs.authentication.kerberos.principal` for httpfs principal. Since it 
doesn't support to convert Kerberos principal name pattern to valid Kerberos 
principal names, so we have to config the principal value with the real 
hostname rather than the hostname patter `_HOST` as the following shows, thus 
we have to prepare different configs for different HttpFS instance or KMS 
instance.
{code:java}
    <property>
        <name>httpfs.authentication.kerberos.principal</name>
        <value>HTTP/`hostname`@REALM</value>
    </property>
{code}
cc [~jojochuang],[~eyang], [[email protected]] Please take a reviews if you 
have times. Thanks again.

> Support kerberos principal name pattern for KerberosAuthenticationHandler
> -------------------------------------------------------------------------
>
>                 Key: HADOOP-15440
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15440
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>            Reporter: He Xiaoqiao
>            Assignee: He Xiaoqiao
>            Priority: Major
>         Attachments: HADOOP-15440-trunk.001.patch, HADOOP-15440.002.patch
>
>
> When setup HttpFS server or KMS server in security mode, we have to config 
> kerberos principal for these service, it doesn't support to convert Kerberos 
> principal name pattern to valid Kerberos principal names whereas 
> NameNode/DataNode and many other service can do that, so it makes confused 
> for users. so I propose to replace hostname pattern with hostname, which 
> should be fully-qualified domain name.



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to