[jira] [Commented] (HBASE-15254) Support fixed domain name in Kerberos name for HBase replication cross realm trust setup

Fri, 12 Feb 2016 02:09:07 -0800 

    [ 
https://issues.apache.org/jira/browse/HBASE-15254?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15144348#comment-15144348
 ] 

Ashish Singhi commented on HBASE-15254:
---------------------------------------

Thanks [~ghelmling] for pointing to HBASE-14866. Actually we are using 
HBase-1.0.2 version so did not see that one before.

bq. how have you configured the replication peer for the destination cluster?
We simply ran the command add_peer '1', "server1.cie.com:2181:/hbase".

bq. Did you override the values for hbase.master.kerberos.principal and 
hbase.regionserver.kerberos.principal for the destination cluster when creating 
the peer cluster config? 
No.

bq. your principal would look like: hbase/[email protected] for the source 
cluster and hbase/[email protected] for the destination. Is this correct?
Yes.

I skimmed the patch attached in HBASE-14866. What I understood is to pass 
destination cluster principals in source cluster user has set it in 
{{ReplicationPeerConfig}}, correct ? I will take more closer look into code 
later.


> Support fixed domain name in Kerberos name for HBase replication cross realm 
> trust setup
> ----------------------------------------------------------------------------------------
>
>                 Key: HBASE-15254
>                 URL: https://issues.apache.org/jira/browse/HBASE-15254
>             Project: HBase
>          Issue Type: Improvement
>            Reporter: Ashish Singhi
>            Assignee: Ashish Singhi
>              Labels: kerberos, replication, security
>
> HBase replication will not work with Kerberos cross realm trust when domain 
> name in the principal is not hostname. 
> A mail was also sent related to this in user mailing list, [mail | 
> https://groups.google.com/forum/#!topic/nosql-databases/AYhQnU9Fc7E]
> The problem here is when ever a user adds a new host to cluster he/she also 
> needs to add a principal name for that host in KDC, generate a new keytab 
> file and update it across other hosts accordingly if required. 
> To save all this efforts users may prefer to have a fixed domain name in the 
> principal for all the hosts and in that case HBase replication will fail 
> because currently we are using client principal to create sasl client instead 
> we need to use server principal to create sasl client and establish the sasl 
> context



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to