[ https://issues.apache.org/jira/browse/HADOOP-9296?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13883537#comment-13883537 ]
Daryn Sharp commented on HADOOP-9296: ------------------------------------- @Benoy, I've looked at this a bit more at this. Overloading the semantics of the serverId field will cause earlier 2.x clients to fail. -1 to approaches that introduce RPC incompatibility. Are you sure setting up a one-way trust relationship isn't the easier route? I think it's a valid feature for a multi-interface server to use the correct realm for each interface - which RPC is currently lacking - but it seems rather kludgey to support multiple realms on the same interface. Kerberos wasn't intended to work this way... > Authenticating users from different realm without a trust relationship > ---------------------------------------------------------------------- > > Key: HADOOP-9296 > URL: https://issues.apache.org/jira/browse/HADOOP-9296 > Project: Hadoop Common > Issue Type: Improvement > Components: security > Reporter: Benoy Antony > Assignee: Benoy Antony > Attachments: HADOOP-9296-1.1.patch, HADOOP-9296.patch, > HADOOP-9296.patch, multirealm.pdf > > > Hadoop Masters (JobTracker and NameNode) and slaves (Data Node and > TaskTracker) are part of the Hadoop domain, controlled by Hadoop Active > Directory. > The users belong to the CORP domain, controlled by the CORP Active Directory. > In the absence of a one way trust from HADOOP DOMAIN to CORP DOMAIN, how will > Hadoop Servers (JobTracker, NameNode) authenticate CORP users ? > The solution and implementation details are in the attachement -- This message was sent by Atlassian JIRA (v6.1.5#6160)