[jira] [Updated] (HADOOP-10183) Allow use of UPN style principals in keytab files

[Mubashir Kazia (JIRA)]

     [ 
https://issues.apache.org/jira/browse/HADOOP-10183?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Mubashir Kazia updated HADOOP-10183:
------------------------------------

    Attachment: SaslTestServer.java
                SaslTestClient.java
                AppConnection.java
                Jaas.java
                jaas-krb5.conf
                hdfs.keytab
                krb5.conf
                HADOOP-10183.patch

For testing please run the server and client as follows

Server
java -Djava.security.krb5.conf=krb5.conf 
-Djava.security.auth.login.config=jaas-krb5.conf -Dsun.security.krb5.debug=true 
SaslTestServer hdfs <hostname>

java -Djava.security.krb5.conf=krb5.conf 
-Djava.security.auth.login.config=jaas-krb5.conf -Dsun.security.krb5.debug=true 
SaslTestClient hdfs <hostname>

> Allow use of UPN style principals in keytab files
> -------------------------------------------------
>
>                 Key: HADOOP-10183
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10183
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>            Reporter: Mubashir Kazia
>         Attachments: AppConnection.java, HADOOP-10183.patch, Jaas.java, 
> SaslTestClient.java, SaslTestServer.java, hdfs.keytab, jaas-krb5.conf, 
> krb5.conf
>
>
> Hadoop currently only allows SPN style (E.g. hdfs/node.fqdn@REALM) principals 
> in keytab files in a cluster configured with Kerberos security. This cause 
> the burden of creating multiple principals and keytabs for each node of the 
> cluster. Active Directory allows the use of single principal across multiple 
> hosts if the SPNs for different hosts have been setup correctly on the 
> principal. With this scheme we have the server side using keytab file with 
> UPN style (E.g. hdfs@REALM) principal for a given service for all the nodes 
> of the cluster. The client side will request service tickets with SPN and 
> it's own TGT and Active Directory will grant service tickets with the correct 
> secret. 
> This will simplify the use of principals and keytab files for Active 
> Directory users with one principal for each service across all the nodes of 
> the cluster. 
> I have a patch to allow the use of UPN style principals in Hadoop. The patch 
> will not affect the use of SPN style principals. I couldn't figure out a way 
> to write test cases against MiniKDC so I have included the Oracle/Sun sample 
> Sasl server and client code along with the configuration I used to confirm 
> this scheme works. 



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)