[
https://issues.apache.org/jira/browse/KUDU-3057?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17040486#comment-17040486
]
Alexey Serbin commented on KUDU-3057:
-------------------------------------
To summarize, as of now it's possible to run {{kudu}} CLI tool like the
following:
{noformat}
KRB5_CLIENT_KTNAME=FILE:<abs_path_to_keytab> KRB5CCNAME=MEMORY: kudu cluster
ksck <kudu_master_rpc_endpoints>
{noformat}
Using {{KRB5_CLIENT_KTNAME}} allows for loggin in from the specified keytab.
Using the credentials cache in memory makes it possible to ignore credentials
cache on filesystem (by default it's something like {{/tmp/krb5cc_<uid>}}),
where the latter might have almost-expired or already expired credentials.
With in-memory credentials cache, there is no risk of using expired or
almost-expired credentials.
> Allow users to pass keytabs to CLI tooling
> ------------------------------------------
>
> Key: KUDU-3057
> URL: https://issues.apache.org/jira/browse/KUDU-3057
> Project: Kudu
> Issue Type: Improvement
> Components: CLI, security
> Reporter: Andrew Wong
> Priority: Major
>
> In scripting tooling, it's inconvenient to require an explicit `kinit` before
> running tooling against a secure cluster. It'd be nice if a user could
> instead pass the keytab as an argument to tools.
> This would also allow us to use an [in-memory credentials
> cache|https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html] as we
> do in the server, so we wouldn't "leak" credentials to the system-wide
> file-based credentials cache.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
