[
https://issues.apache.org/jira/browse/KUDU-2096?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16127962#comment-16127962
]
Todd Lipcon commented on KUDU-2096:
-----------------------------------
If you check out the chart in KUDU-2032, you can actually see the behavior that
MIT krb5 has for different settings for an example of a CNAME. I think the
defaults (canonicalize_host_name = true, rdns = true) would work as expected
for the CNAME config -- it would resolve all the way to an IP, then reverse
back to the true FQDN of the host, and use that as a principal. The trick is
that it's possible to configure krb5 to do only the "cname -> actual name"
step, which might actually not match the reversed IP.
> Document necessary configuration for Kerberos with master CNAMEs
> ----------------------------------------------------------------
>
> Key: KUDU-2096
> URL: https://issues.apache.org/jira/browse/KUDU-2096
> Project: Kudu
> Issue Type: Task
> Components: documentation, security
> Reporter: Todd Lipcon
>
> Currently our docs recommend using CNAMEs for master addresses to simplify
> moving them around. However, if clients connect to a master with its
> non-canonical name, there are some complications with Kerberos principals,
> etc. We should test and document the necessary steps for such a configuration.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
