Hi, The security documentation specifies how to test a secure cluster by using kinit and thus adding the Kerberos principal TGT to the ticket cache in which the hadoop client code uses to acquire service tickets for use in the cluster. What if I created an application that used the hadoop API to communicate with hdfs and/or mapred protocols, is there a programmatic way to inform hadoop to use a particular Kerberos principal name with a keytab that contains its password key? I didn't see a way to integrate with JAAS KrbLoginModule. I was thinking that if I could inject a callbackHandler, I could pass the principal name and the KrbLoginModule already has options to specify keytab. Is this something that is possible? Or is this just not the right way to do things?
I read about impersonation where authentication is performed with a system user such as "oozie" and then it just impersonates other users so that permissions are based on the impersonated user instead of the system user. Please help me understand my options for executing hadoop tasks in a multi-tenant application. Thank you!
