[ https://issues.apache.org/jira/browse/HADOOP-17005?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17089685#comment-17089685 ]
Steve Loughran commented on HADOOP-17005: ----------------------------------------- * all patches must be against hadoop trunk, not branch-2 * MiniKDC for testing * you need to consider the name of the principal too. Most production systems need keytabs with many principals, one per service per node, not just for style reasons but because KDCs treat 1000 logins as the same user as some brute force attack, not HDFS cluster boot. Know also that we are scared of UGI. it's a critical piece of code where we are reluctant to make changes because it's so brittle. Meaning: before trying to get a patch in, you'll need to make a strong case for doing it all. Given the need for multiple apps on a single node and the need for different principals for each service on a node, I'm not sure how automatic you can be > Add capability in hadoop-client to automatically login from a client/service > keytab > ----------------------------------------------------------------------------------- > > Key: HADOOP-17005 > URL: https://issues.apache.org/jira/browse/HADOOP-17005 > Project: Hadoop Common > Issue Type: Improvement > Components: security > Affects Versions: 2.0.0-alpha > Reporter: Maziar Mirzazad > Priority: Minor > Fix For: 2.9.2 > > > With existing Hadoop client implementation, client applications for services > that are using kerberized clusters, need to handle Keytab based login in > their code, before doing HDFS or M/R API calls. > To avoid that, we are proposing adding Keytab based auto login to hadoop > client library with configurable and default paths for Keytabs. > This functionality helps new service owners as well as those transitioning > from non-kerberized cluster to kerberized ones. > Auto login, should avoid extra login attempts in case a valid TGT is already > available. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org