[
https://issues.apache.org/jira/browse/HDFS-3466?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13285155#comment-13285155
]
Aaron T. Myers commented on HDFS-3466:
--------------------------------------
bq. We need to do this because as soon as you add the same principal do a
different keytab, earlier keytabs become invalidated.
That's not necessarily true. It's true by default with MIT kerberos, but it
doesn't have to be the case. You can either use the '-norandkey' option when
creating the second keytab in kadmin, or you can use ktutil to create a keytab
totally offline (i.e. independently of the kadmin server) which contains
whatever entries you want from several already-created keytabs.
> The SPNEGO filter for the NameNode should come out of the web keytab file
> -------------------------------------------------------------------------
>
> Key: HDFS-3466
> URL: https://issues.apache.org/jira/browse/HDFS-3466
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: name-node, security
> Affects Versions: 1.1.0, 2.0.0-alpha
> Reporter: Owen O'Malley
> Assignee: Owen O'Malley
> Attachments: hdfs-3466-b1.patch, hdfs-3466-trunk.patch
>
>
> Currently, the spnego filter uses the DFS_NAMENODE_KEYTAB_FILE_KEY to find
> the keytab. It should use the DFS_WEB_AUTHENTICATION_KERBEROS_KEYTAB_KEY to
> do it.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
