[
https://issues.apache.org/jira/browse/HDFS-3466?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13285230#comment-13285230
]
Arpit Gupta commented on HDFS-3466:
-----------------------------------
@Aaron
The reason i think it will be easier is because if there is a separate file for
HTTP principal for a give host, even if you regenerate the keytab for that host
the latest keytab will still be valid for that host so the user would not have
to know.
Regarding whether to change the keyname as @Alejandro suggested or fall back if
the key is not found this got changed when HDFS-2617 was committed. Before that
trunk used DFS_WEB_AUTHENTICATION_KERBEROS_KEYTAB_KEY key for the keytab for
the HTTP principal. Branch 1.0 still uses the same key. So the users that are
already using webhdfs on a secure cluster will have to change their configs if
we change the config keys.
> The SPNEGO filter for the NameNode should come out of the web keytab file
> -------------------------------------------------------------------------
>
> Key: HDFS-3466
> URL: https://issues.apache.org/jira/browse/HDFS-3466
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: name-node, security
> Affects Versions: 1.1.0, 2.0.0-alpha
> Reporter: Owen O'Malley
> Assignee: Owen O'Malley
> Attachments: hdfs-3466-b1.patch, hdfs-3466-trunk.patch
>
>
> Currently, the spnego filter uses the DFS_NAMENODE_KEYTAB_FILE_KEY to find
> the keytab. It should use the DFS_WEB_AUTHENTICATION_KERBEROS_KEYTAB_KEY to
> do it.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
