[jira] [Commented] (HADOOP-15440) Support kerberos principal name pattern for KerberosAuthenticationHandler

Sun, 22 Mar 2020 04:57:46 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-15440?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17064250#comment-17064250
 ] 

Xiaoqiao He commented on HADOOP-15440:
--------------------------------------

Thanks [~eyang] for your suggestions and I am very sorry for missing this JIRA 
for long time.
{quote}for case `test/_HOST/test`, it will be replaced to `test/$hostname/test`.
It probably should throw error if the format is not a proper kerberos service 
principal.{quote}
it could be checked in the following statement for this case IIUC.
{quote}Principal krbPrincipal = new KerberosPrincipal(spng);{quote}
{quote}I think Hadoop is using hadoop.security.dns.interface to determine which 
hostname to bind. This may help for the hostname lookup.{quote}
It is true that using `hadoop.security.dns.interface` is more accurate. 
Actually this logic is implement completely in `SecurityUtil` but when I want 
to import `hadoop-common` to sub-module `hadoop-auth` it throws cyclic 
reference exception. So my question is if we need add same logic at sub-module 
`hadoop-auth` or some other solutions? Sorry I am not very familiar with this 
module. Thanks again.

> Support kerberos principal name pattern for KerberosAuthenticationHandler
> -------------------------------------------------------------------------
>
>                 Key: HADOOP-15440
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15440
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>            Reporter: Xiaoqiao He
>            Assignee: Xiaoqiao He
>            Priority: Major
>         Attachments: HADOOP-15440-trunk.001.patch, HADOOP-15440.002.patch
>
>
> When setup HttpFS server or KMS server in security mode, we have to config 
> kerberos principal for these service, it doesn't support to convert Kerberos 
> principal name pattern to valid Kerberos principal names whereas 
> NameNode/DataNode and many other service can do that, so it makes confused 
> for users. so I propose to replace hostname pattern with hostname, which 
> should be fully-qualified domain name.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to