[
https://issues.apache.org/jira/browse/HDFS-1023?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12841651#action_12841651
]
Jakob Homan commented on HDFS-1023:
-----------------------------------
{quote}It is pretty amazing/disappointing that the normal HTTP/[machine]
doesn't work. {quote}
I was pretty amazed at this too. Definitely complicates deploying a secure
cluster, although only the NN and SNN need to have these combined keytabs,
since they are the only https servers.
Line 299:
http://hg.openjdk.java.net/jdk7/tl/jdk/file/893034df4ec2/src/share/classes/sun/security/ssl/krb5/KerberosClientKeyExchangeImpl.java
> Allow http server to start as regular principal if https principal not
> defined.
> -------------------------------------------------------------------------------
>
> Key: HDFS-1023
> URL: https://issues.apache.org/jira/browse/HDFS-1023
> Project: Hadoop HDFS
> Issue Type: Improvement
> Reporter: Jakob Homan
> Assignee: Jakob Homan
> Attachments: HDFS-1023-Y20.patch
>
>
> Currently limitations in Sun's KerbSSL implementation require the https
> server to be run as "host/[machi...@realm." and another Sun KerbSSL
> limitation appears to require you to store all principals in the same keytab,
> meaning fully functional, secured Namenodes require combined keytabs.
> However, it may be that one wishes to run a namenode without a secondary
> namenode or other utilities that require https. In this case, we should
> allow the http server to start and log a warning that it will not be able to
> accept https connections.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
