hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hadoop QA (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10183) Allow use of UPN style principals in keytab files
Date Tue, 31 Dec 2013 01:38:50 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13859240#comment-13859240

Hadoop QA commented on HADOOP-10183:

{color:red}-1 overall{color}.  Here are the results of testing the latest attachment 
  against trunk revision .

    {color:green}+1 @author{color}.  The patch does not contain any @author tags.

    {color:red}-1 tests included{color}.  The patch doesn't appear to include any new or modified
                        Please justify why no new tests are needed for this patch.
                        Also please list what manual steps were performed to verify this patch.

    {color:green}+1 javac{color}.  The applied patch does not increase the total number of
javac compiler warnings.

    {color:green}+1 javadoc{color}.  The javadoc tool did not generate any warning messages.

    {color:green}+1 eclipse:eclipse{color}.  The patch built with eclipse:eclipse.

    {color:green}+1 findbugs{color}.  The patch does not introduce any new Findbugs (version
1.3.9) warnings.

    {color:green}+1 release audit{color}.  The applied patch does not increase the total number
of release audit warnings.

    {color:red}-1 core tests{color}.  The patch failed these unit tests in hadoop-common-project/hadoop-common:


    {color:green}+1 contrib tests{color}.  The patch passed contrib unit tests.

Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/3388//testReport/
Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/3388//console

This message is automatically generated.

> Allow use of UPN style principals in keytab files
> -------------------------------------------------
>                 Key: HADOOP-10183
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10183
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 2.2.0
>            Reporter: Mubashir Kazia
>            Assignee: Mubashir Kazia
>         Attachments: AppConnection.java, HADOOP-10183.patch, HADOOP-10183.patch.1, Jaas.java,
SaslTestClient.java, SaslTestServer.java, hdfs.keytab, jaas-krb5.conf, krb5.conf
> Hadoop currently only allows SPN style (E.g. hdfs/node.fqdn@REALM) principals in keytab
files in a cluster configured with Kerberos security. This cause the burden of creating multiple
principals and keytabs for each node of the cluster. Active Directory allows the use of single
principal across multiple hosts if the SPNs for different hosts have been setup correctly
on the principal. With this scheme we have the server side using keytab file with UPN style
(E.g. hdfs@REALM) principal for a given service for all the nodes of the cluster. The client
side will request service tickets with SPN and it's own TGT and Active Directory will grant
service tickets with the correct secret. 
> This will simplify the use of principals and keytab files for Active Directory users
with one principal for each service across all the nodes of the cluster. 
> I have a patch to allow the use of UPN style principals in Hadoop. The patch will not
affect the use of SPN style principals. I couldn't figure out a way to write test cases against
MiniKDC so I have included the Oracle/Sun sample Sasl server and client code along with the
configuration I used to confirm this scheme works. 

This message was sent by Atlassian JIRA

View raw message