[
https://issues.apache.org/jira/browse/HDDS-10509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17924164#comment-17924164
]
István Fajth commented on HDDS-10509:
-------------------------------------
The problem is not because of the authentication as I understand. The problem
is that Ratis uses gRPC and mTLS. gRPC is running over HTTP2.2 where SPNEGO is
deprecated and it is advised against, as HTTP2.2 is stateless, while SPNEGO
requires state.
Introducing a non gRPC based protocol server for Ratis admin seems to be
complexity.
Why don't we send in the serialized Ratis admin request via the current or via
a new admin API endpoint of SCM/OM/DN that is authenticating with Kerberos, and
let them route the request to the proper admin API endpoint of the addressed
Ratis group on behalf of the client?
> Allow running ratis shell commands in secure Ozone cluster.
> -----------------------------------------------------------
>
> Key: HDDS-10509
> URL: https://issues.apache.org/jira/browse/HDDS-10509
> Project: Apache Ozone
> Issue Type: Sub-task
> Components: Tools
> Reporter: Tsz-wo Sze
> Assignee: Rishabh Patel
> Priority: Major
>
> When Ozone is in secure mode, running ratis shell directly cannot access
> Ozone since ratis shell does not have Ozone UserGroupInformation. We should
> add a new Ozone command to run ratis shell. The new Ozone command can get
> the UserGroupInformation and then run the ratis commands.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
