[
https://issues.apache.org/jira/browse/HDFS-1023?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12841645#action_12841645
]
Allen Wittenauer commented on HDFS-1023:
----------------------------------------
> another Sun KerbSSL limitation appears to require you to store all principals
> in the same keytab
FWIW, most of the implementations (at least that are exposed to the user)
require that all principals that might get used for a given service are stored
in one keytab. Even so:
> Sun's KerbSSL implementation require the https server to be run as
> "host/[machi...@realm.
It is pretty amazing/disappointing that the normal HTTP/[machine] doesn't work.
:(
> Allow http server to start as regular principal if https principal not
> defined.
> -------------------------------------------------------------------------------
>
> Key: HDFS-1023
> URL: https://issues.apache.org/jira/browse/HDFS-1023
> Project: Hadoop HDFS
> Issue Type: Improvement
> Reporter: Jakob Homan
> Assignee: Jakob Homan
> Attachments: HDFS-1023-Y20.patch
>
>
> Currently limitations in Sun's KerbSSL implementation require the https
> server to be run as "host/[machi...@realm." and another Sun KerbSSL
> limitation appears to require you to store all principals in the same keytab,
> meaning fully functional, secured Namenodes require combined keytabs.
> However, it may be that one wishes to run a namenode without a secondary
> namenode or other utilities that require https. In this case, we should
> allow the http server to start and log a warning that it will not be able to
> accept https connections.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
