[
https://issues.apache.org/jira/browse/HADOOP-9296?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13883034#comment-13883034
]
Daryn Sharp commented on HADOOP-9296:
-------------------------------------
[~tucu00] The RPC case is a bit different. SPNEGO dictates that you must use
distinct principals for each addr, whereas SASL does not have this requirement.
Other than the desire to avoid multiple principals, the RPC server lacks
support for multiple principals which Benoy appears to be addressing.
[~benoyantony] I'm swamped at the minute, so would you please give a more
detailed description of what the patch is doing? It seems a bit more
complicated than described, at least code-wise. Are the RPC changes fully
backwards compatible?
> Authenticating users from different realm without a trust relationship
> ----------------------------------------------------------------------
>
> Key: HADOOP-9296
> URL: https://issues.apache.org/jira/browse/HADOOP-9296
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Benoy Antony
> Assignee: Benoy Antony
> Attachments: HADOOP-9296-1.1.patch, HADOOP-9296.patch,
> HADOOP-9296.patch, multirealm.pdf
>
>
> Hadoop Masters (JobTracker and NameNode) and slaves (Data Node and
> TaskTracker) are part of the Hadoop domain, controlled by Hadoop Active
> Directory.
> The users belong to the CORP domain, controlled by the CORP Active Directory.
> In the absence of a one way trust from HADOOP DOMAIN to CORP DOMAIN, how will
> Hadoop Servers (JobTracker, NameNode) authenticate CORP users ?
> The solution and implementation details are in the attachement
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
