[
https://issues.apache.org/jira/browse/HADOOP-10183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13861994#comment-13861994
]
Mubashir Kazia commented on HADOOP-10183:
-----------------------------------------
All I'm trying to address in this patch is without breaking the current
behavior, checks etc when a SPN style principal is present in keytab it also
allows UPN style principals. I have not removed any check or introduced more
than what was already there. And when UPN style principal is present it uses
the canonical hostname of the server to advertise in SASL and on the client
side it uses the server's SASL advertised hostname. The current code picked it
up from the configured SPN which I have not changed.
If someone see benefit in keeping separate principals this does not stop and if
anyone wants to share the same principal this patch does not force to keep it
separate.
Can you please explain what you mean by check for correct user? AFAIK I have
not changed any current behavior if a SPN style principal is used.
I can rework the patch to use KerberosName if that is what is preferred. My
intention was to keep the changes minimal.
> Allow use of UPN style principals in keytab files
> -------------------------------------------------
>
> Key: HADOOP-10183
> URL: https://issues.apache.org/jira/browse/HADOOP-10183
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 2.2.0
> Reporter: Mubashir Kazia
> Assignee: Mubashir Kazia
> Attachments: AppConnection.java, HADOOP-10183.patch,
> HADOOP-10183.patch.1, Jaas.java, SaslTestClient.java, SaslTestServer.java,
> hdfs.keytab, jaas-krb5.conf, krb5.conf
>
>
> Hadoop currently only allows SPN style (E.g. hdfs/node.fqdn@REALM) principals
> in keytab files in a cluster configured with Kerberos security. This cause
> the burden of creating multiple principals and keytabs for each node of the
> cluster. Active Directory allows the use of single principal across multiple
> hosts if the SPNs for different hosts have been setup correctly on the
> principal. With this scheme we have the server side using keytab file with
> UPN style (E.g. hdfs@REALM) principal for a given service for all the nodes
> of the cluster. The client side will request service tickets with SPN and
> it's own TGT and Active Directory will grant service tickets with the correct
> secret.
> This will simplify the use of principals and keytab files for Active
> Directory users with one principal for each service across all the nodes of
> the cluster.
> I have a patch to allow the use of UPN style principals in Hadoop. The patch
> will not affect the use of SPN style principals. I couldn't figure out a way
> to write test cases against MiniKDC so I have included the Oracle/Sun sample
> Sasl server and client code along with the configuration I used to confirm
> this scheme works.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
