Steve Vaughan created HDFS-16768:
------------------------------------
Summary: KMS should have it's own Kerberos principal
Key: HDFS-16768
URL: https://issues.apache.org/jira/browse/HDFS-16768
Project: Hadoop HDFS
Issue Type: New Feature
Components: kms
Affects Versions: 3.4.0, 3.3.9
Environment: Demonstrated using the trunk code base on UBI 8 under
Java 11.
Reporter: Steve Vaughan
Assignee: Steve Vaughan
Starting the KMS service without first running `kinit` fails when using HDFS to
store the keys, throwing:
{noformat}
java.io.IOException: org.apache.hadoop.security.AccessControlException: Client
cannot authenticate via:[TOKEN, KERBEROS]{noformat}
with the following underlying cause:
{noformat}
Caused by: org.apache.hadoop.security.AccessControlException: Client cannot
authenticate via:[TOKEN, KERBEROS] at
org.apache.hadoop.security.SaslRpcClient.selectSaslClient(SaslRpcClient.java:179)
at
org.apache.hadoop.security.SaslRpcClient.saslConnect(SaslRpcClient.java:392){noformat}
In addition, it would be valuable to have the automatic refresh using the
keytab which is provided by the UserGroupInformation.
I'm proposing 2 new configuration settings to allow the definition of the
principal and keytab to use for KMS, and if provided that they should be
initialized as part of the server startup using the UserGroupInformation
methods to support reloading.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
