[
https://issues.apache.org/jira/browse/KUDU-3057?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17041554#comment-17041554
]
Andrew Wong commented on KUDU-3057:
-----------------------------------
In many cases, that should work. In my particular scenario, I haven't had much
luck. Using a client keytab works only if the first principal in the keytab is
who you want to run as. If not, I haven't been able to find the appropriate
environment variables to specify the correct principal. That said, I'm able to
script a {{kinit}} as a workaround.
As for this ticket, the one benefit I can think of with passing a keytab would
be the ability to then periodically kinit for long-running tools (like the
rebalancer tool) in cases where the max renewal period is low. On my machine,
that period is 90 minutes; rebalancing can certainly take longer than this on
larger clusters. There's always the "workaround" of retrying the tool, as the
rebalancer is stateless in some sense -- that said, avoiding that would be nice.
> Allow users to pass keytabs to CLI tooling
> ------------------------------------------
>
> Key: KUDU-3057
> URL: https://issues.apache.org/jira/browse/KUDU-3057
> Project: Kudu
> Issue Type: Improvement
> Components: CLI, security
> Reporter: Andrew Wong
> Priority: Major
>
> In scripting tooling, it's inconvenient to require an explicit `kinit` before
> running tooling against a secure cluster. It'd be nice if a user could
> instead pass the keytab as an argument to tools.
> This would also allow us to use an [in-memory credentials
> cache|https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html] as we
> do in the server, so we wouldn't "leak" credentials to the system-wide
> file-based credentials cache.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
