[
https://issues.apache.org/jira/browse/HDFS-3466?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13285147#comment-13285147
]
Arpit Gupta commented on HDFS-3466:
-----------------------------------
{quote}
It is an unnecessary flexibility (adding extra complexity) to have 2 keys for a
keytab. IMO, we should consolidate both keys in one instead.
{quote}
Multiple keytabs are needed when you have multiple services needing access to
HTTP principal. For example if oozie will run on the same node as the namenode,
then rather than sharing one keytab that has hdfs, oozie and HTTP principals in
one keytab you can create a different keytab which just has HTTP principal.
We need to do this because as soon as you add the same principal do a different
keytab, earlier keytabs become invalidated.
> The SPNEGO filter for the NameNode should come out of the web keytab file
> -------------------------------------------------------------------------
>
> Key: HDFS-3466
> URL: https://issues.apache.org/jira/browse/HDFS-3466
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: name-node, security
> Affects Versions: 1.1.0, 2.0.0-alpha
> Reporter: Owen O'Malley
> Assignee: Owen O'Malley
> Attachments: hdfs-3466-b1.patch, hdfs-3466-trunk.patch
>
>
> Currently, the spnego filter uses the DFS_NAMENODE_KEYTAB_FILE_KEY to find
> the keytab. It should use the DFS_WEB_AUTHENTICATION_KERBEROS_KEYTAB_KEY to
> do it.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
