Hi all, To access a Kerberos-protected cluster, our hadoop clients need to get a kerberos ticket (kinit user@realm) before submitting jobs. We want our clients to get rid of kerberos password, so we would like to use keytabs for authentication. Here we export pincipals with the form 'username/host@realm' and deploy them to our clients' hosts.
In addition, we want to make sure the host in the keytab matches the host which one client submit job from. Currently there is no host check on client principal auth. I have found some jira which maybe helpful: https://issues.apache.org/jira/browse/HDFS-1003 https://issues.apache.org/jira/browse/HADOOP-7215 I have no idea how to achieve it, I also wonder whether such check is reasonable. can anyone give me some hint?
