[jira] [Commented] (HDFS-3466) The SPNEGO filter for the NameNode should come out of the web keytab file

Tue, 29 May 2012 17:06:26 -0700 

    [ 
https://issues.apache.org/jira/browse/HDFS-3466?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13285290#comment-13285290
 ] 

Aaron T. Myers commented on HDFS-3466:
--------------------------------------

bq. The reason i think it will be easier is because if there is a separate file 
for HTTP principal for a give host, even if you regenerate the keytab for that 
host the latest keytab will still be valid for that host so the user would not 
have to know.

But they'd have to know the location(s) where the old (now invalid) keytab was, 
and be sure to replace it with the new one. My point is that, either way, the 
user is going to have to know that they've already exported a keytab for a 
given principal. No way around that.

bq. Regarding whether to change the keyname as @Alejandro suggested or fall 
back if the key is not found this got changed when HDFS-2617 was committed. 
Before that trunk used DFS_WEB_AUTHENTICATION_KERBEROS_KEYTAB_KEY key for the 
keytab for the HTTP principal. Branch 1.0 still uses the same key. So the users 
that are already using webhdfs on a secure cluster will have to change their 
configs if we change the config keys.

Whether we change the config key is orthogonal to whether or not we check 
multiple configuration keys to find the keytab. The concern I have is that 
those users who _don't_ use WebHDFS shouldn't have to set multiple keytab 
location config options if their principals are in a single keytab.
                
> The SPNEGO filter for the NameNode should come out of the web keytab file
> -------------------------------------------------------------------------
>
>                 Key: HDFS-3466
>                 URL: https://issues.apache.org/jira/browse/HDFS-3466
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: name-node, security
>    Affects Versions: 1.1.0, 2.0.0-alpha
>            Reporter: Owen O'Malley
>            Assignee: Owen O'Malley
>         Attachments: hdfs-3466-b1.patch, hdfs-3466-trunk.patch
>
>
> Currently, the spnego filter uses the DFS_NAMENODE_KEYTAB_FILE_KEY to find 
> the keytab. It should use the DFS_WEB_AUTHENTICATION_KERBEROS_KEYTAB_KEY to 
> do it.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to