[jira] [Commented] (HADOOP-17005) Add capability in hadoop-client to automatically login from a client/service keytab

Wed, 22 Apr 2020 06:42:25 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-17005?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17089685#comment-17089685
 ] 

Steve Loughran commented on HADOOP-17005:
-----------------------------------------

* all patches must be against hadoop  trunk, not branch-2
* MiniKDC for testing
* you need to consider the name of the principal too. Most production systems 
need keytabs with many principals, one per service per node, not just for style 
reasons but because KDCs treat 1000 logins as the same user as some brute force 
attack, not HDFS cluster boot.

Know also that we are scared of UGI. it's a critical piece of code where we are 
reluctant to make changes because it's so brittle.

Meaning: before trying to get a patch in, you'll need to make a strong case for 
doing it all. Given the need for multiple apps on a single node and the need 
for different principals for each service on a node, I'm not sure how automatic 
you can be

> Add capability in hadoop-client to automatically login from a client/service 
> keytab
> -----------------------------------------------------------------------------------
>
>                 Key: HADOOP-17005
>                 URL: https://issues.apache.org/jira/browse/HADOOP-17005
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 2.0.0-alpha
>            Reporter: Maziar Mirzazad
>            Priority: Minor
>             Fix For: 2.9.2
>
>
> With existing Hadoop client implementation, client applications for services 
> that are using kerberized clusters, need to handle Keytab based login in 
> their code, before doing HDFS or M/R API calls.
> To avoid that, we are proposing adding Keytab based auto login to hadoop 
> client library with configurable and default paths for Keytabs. 
> This functionality helps new service owners as well as those transitioning 
> from non-kerberized cluster to kerberized ones.
> Auto login, should avoid extra login attempts in case a valid TGT is already 
> available.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to