[
https://issues.apache.org/jira/browse/HBASE-15254?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15144794#comment-15144794
]
Ashish Singhi commented on HBASE-15254:
---------------------------------------
Our idea to handle this issue was (similar to how Hadoop and Zookeeper work),
we add a new type in AuthMethod which will be used as a marker for server to
identify whether client has requested for its principal. We set this new
AuthMethod in connection preamble request from client when AuthMethod is
kerberos and when server find this new AuthMethod it will set its AuthMethod to
kerberos and send its principal as part of the response of this request and
client will use this principal to create the sasl client. I have a patch ready
for RpcClientImpl (If needed I can attach here), yet to implement this for
AysncRpcClient.
May be instead of adding new AuthMethod type may be can use some other rpc
header from the current one {'H', 'B', 'a', 's'} as a marker.
I feel this is more user friendly compared to asking user to add these kerberos
principal configurations in ReplicationPeerConfig.
This is just my thought.
> Support fixed domain name in Kerberos name for HBase replication cross realm
> trust setup
> ----------------------------------------------------------------------------------------
>
> Key: HBASE-15254
> URL: https://issues.apache.org/jira/browse/HBASE-15254
> Project: HBase
> Issue Type: Improvement
> Reporter: Ashish Singhi
> Assignee: Ashish Singhi
> Labels: kerberos, replication, security
>
> HBase replication will not work with Kerberos cross realm trust when domain
> name in the principal is not hostname.
> A mail was also sent related to this in user mailing list, [mail |
> https://groups.google.com/forum/#!topic/nosql-databases/AYhQnU9Fc7E]
> The problem here is when ever a user adds a new host to cluster he/she also
> needs to add a principal name for that host in KDC, generate a new keytab
> file and update it across other hosts accordingly if required.
> To save all this efforts users may prefer to have a fixed domain name in the
> principal for all the hosts and in that case HBase replication will fail
> because currently we are using client principal to create sasl client instead
> we need to use server principal to create sasl client and establish the sasl
> context
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
