[
https://issues.apache.org/jira/browse/KUDU-3057?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17039717#comment-17039717
]
Alexey Serbin commented on KUDU-3057:
-------------------------------------
[~awong] could you elaborate why the keytab should be passed as an argument to
tools, i.e. why simply having it as an environment variable is not enough?
As of now, kerberos libraries allow for passing the environment variable with
keytab for clients via the {{KRB5_CLIENT_KTNAME}} property:
https://web.mit.edu/kerberos/krb5-1.12/doc/mitK5defaults.html#paths
At least, the following works for the {{kudu}} CLI tool:
{noformat}
KRB5_CLIENT_KTNAME=FILE:/tmp/kudu.keytab kudu cluster ksck
<kudu_master_rpc_endpoints>
{noformat}
> Allow users to pass keytabs to CLI tooling
> ------------------------------------------
>
> Key: KUDU-3057
> URL: https://issues.apache.org/jira/browse/KUDU-3057
> Project: Kudu
> Issue Type: Improvement
> Components: CLI, security
> Reporter: Andrew Wong
> Priority: Major
>
> In scripting tooling, it's inconvenient to require an explicit `kinit` before
> running tooling against a secure cluster. It'd be nice if a user could
> instead pass the keytab as an argument to tools.
> This would also allow us to use an [in-memory credentials
> cache|https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html] as we
> do in the server, so we wouldn't "leak" credentials to the system-wide
> file-based credentials cache.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
