[ https://issues.apache.org/jira/browse/HDFS-16768?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Mukund Thakur updated HDFS-16768: --------------------------------- Target Version/s: 3.3.9 (was: 3.4.0, 3.3.5) > KMS should have it's own Kerberos principal > ------------------------------------------- > > Key: HDFS-16768 > URL: https://issues.apache.org/jira/browse/HDFS-16768 > Project: Hadoop HDFS > Issue Type: New Feature > Components: kms > Affects Versions: 3.4.0, 3.3.5 > Environment: Demonstrated using the trunk code base on UBI 8 under > Java 11. > Reporter: Steve Vaughan > Assignee: Steve Vaughan > Priority: Major > > Starting the KMS service without first running `kinit` fails when using HDFS > to store the keys, throwing: > {noformat} > java.io.IOException: org.apache.hadoop.security.AccessControlException: > Client cannot authenticate via:[TOKEN, KERBEROS]{noformat} > with the following underlying cause: > > {noformat} > Caused by: org.apache.hadoop.security.AccessControlException: Client cannot > authenticate via:[TOKEN, KERBEROS] at > org.apache.hadoop.security.SaslRpcClient.selectSaslClient(SaslRpcClient.java:179) > at > org.apache.hadoop.security.SaslRpcClient.saslConnect(SaslRpcClient.java:392){noformat} > In addition, it would be valuable to have the automatic refresh using the > keytab which is provided by the UserGroupInformation. > I'm proposing 2 new configuration settings to allow the definition of the > principal and keytab to use for KMS, and if provided that they should be > initialized as part of the server startup using the UserGroupInformation > methods to support reloading. > -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org