[jira] [Commented] (HDFS-12284) RBF: Support for Kerberos authentication

Tue, 23 Oct 2018 15:03:28 -0700 


    [ 
https://issues.apache.org/jira/browse/HDFS-12284?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16661362#comment-16661362
 ] 

Lukas Majercak commented on HDFS-12284:
---------------------------------------

[~daryn], I feel like we should distinguish between ServicePrincipalNames and 
UserPrincipalNames for all services in HDFS, or at least give the admin an 
option to override the user principal. The _HOST solution is okay, but it 
relies on DNS giving consistent results. This inconsistency is fine for SPNs, 
as you can have as many as you want in your keytab, but is not okay for client 
principals.

 Say you have a NN running on HOSTNAME, and set it up using hdfs/_HOST@DOMAIN 
as the principal name. Now, one day, when your NN starts up and tries to 
resolve itself using _HOST, your DNS server decides to return back 
HOSTNAME.domain instead of the usual HOSTNAME. Your NN then uses that as the 
client principal to log in, and will fail.

Maybe something like {{dfs.federation.router.kerberos.user.principal}} would be 
better than {{dfs.federation.router.hostname}}

> RBF: Support for Kerberos authentication
> ----------------------------------------
>
>                 Key: HDFS-12284
>                 URL: https://issues.apache.org/jira/browse/HDFS-12284
>             Project: Hadoop HDFS
>          Issue Type: Sub-task
>          Components: security
>            Reporter: Zhe Zhang
>            Assignee: Sherwood Zheng
>            Priority: Major
>         Attachments: HDFS-12284-HDFS-13532.004.patch, 
> HDFS-12284-HDFS-13532.005.patch, HDFS-12284-HDFS-13532.006.patch, 
> HDFS-12284-HDFS-13532.007.patch, HDFS-12284-HDFS-13532.008.patch, 
> HDFS-12284-HDFS-13532.009.patch, HDFS-12284-HDFS-13532.010.patch, 
> HDFS-12284-HDFS-13532.011.patch, HDFS-12284.000.patch, HDFS-12284.001.patch, 
> HDFS-12284.002.patch, HDFS-12284.003.patch
>
>
> HDFS Router should support Kerberos authentication and issuing / managing 
> HDFS delegation tokens.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to