hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mubashir Kazia (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HADOOP-10183) Allow use of UPN style principals in keytab files
Date Thu, 26 Dec 2013 20:44:50 GMT
Mubashir Kazia created HADOOP-10183:

             Summary: Allow use of UPN style principals in keytab files
                 Key: HADOOP-10183
                 URL: https://issues.apache.org/jira/browse/HADOOP-10183
             Project: Hadoop Common
          Issue Type: Improvement
          Components: security
            Reporter: Mubashir Kazia

Hadoop currently only allows SPN style (E.g. hdfs/node.fqdn@REALM) principals in keytab files
in a cluster configured with Kerberos security. This cause the burden of creating multiple
principals and keytabs for each node of the cluster. Active Directory allows the use of single
principal across multiple hosts if the SPNs for different hosts have been setup correctly
on the principal. With this scheme we have the server side using keytab file with UPN style
(E.g. hdfs@REALM) principal for a given service for all the nodes of the cluster. The client
side will request service tickets with SPN and it's own TGT and Active Directory will grant
service tickets with the correct secret. 

This will simplify the use of principals and keytab files for Active Directory users with
one principal for each service across all the nodes of the cluster. 

I have a patch to allow the use of UPN style principals in Hadoop. The patch will not affect
the use of SPN style principals. I couldn't figure out a way to write test cases against MiniKDC
so I have included the Oracle/Sun sample Sasl server and client code along with the configuration
I used to confirm this scheme works. 

This message was sent by Atlassian JIRA

View raw message