[
https://issues.apache.org/jira/browse/HDFS-16768?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mukund Thakur updated HDFS-16768:
---------------------------------
Target Version/s: 3.3.9 (was: 3.4.0, 3.3.5)
> KMS should have it's own Kerberos principal
> -------------------------------------------
>
> Key: HDFS-16768
> URL: https://issues.apache.org/jira/browse/HDFS-16768
> Project: Hadoop HDFS
> Issue Type: New Feature
> Components: kms
> Affects Versions: 3.4.0, 3.3.5
> Environment: Demonstrated using the trunk code base on UBI 8 under
> Java 11.
> Reporter: Steve Vaughan
> Assignee: Steve Vaughan
> Priority: Major
>
> Starting the KMS service without first running `kinit` fails when using HDFS
> to store the keys, throwing:
> {noformat}
> java.io.IOException: org.apache.hadoop.security.AccessControlException:
> Client cannot authenticate via:[TOKEN, KERBEROS]{noformat}
> with the following underlying cause:
>
> {noformat}
> Caused by: org.apache.hadoop.security.AccessControlException: Client cannot
> authenticate via:[TOKEN, KERBEROS] at
> org.apache.hadoop.security.SaslRpcClient.selectSaslClient(SaslRpcClient.java:179)
> at
> org.apache.hadoop.security.SaslRpcClient.saslConnect(SaslRpcClient.java:392){noformat}
> In addition, it would be valuable to have the automatic refresh using the
> keytab which is provided by the UserGroupInformation.
> I'm proposing 2 new configuration settings to allow the definition of the
> principal and keytab to use for KMS, and if provided that they should be
> initialized as part of the server startup using the UserGroupInformation
> methods to support reloading.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
