hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kai Zheng (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-12911) Upgrade Hadoop MiniKDC with Kerby
Date Fri, 01 Apr 2016 08:16:25 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-12911?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15221347#comment-15221347
] 

Kai Zheng commented on HADOOP-12911:
------------------------------------

Some comments:
1. Much cleaned now in pom.xml files. An issue was noted:
{code}
+    <dependency>
+      <groupId>org.apache.kerby</groupId>
+      <artifactId>kerb-simplekdc</artifactId>
+      <version>1.0.0-RC2</version>
+      <exclusions>
+        <exclusion>
+          <groupId>org.bouncycastle</groupId>
+          <artifactId>bcprov-jdk15on</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
{code}
The RC2 release of Kerby relied on bouncycastle in mistake, and the dependency will be cleaned
up in the next release. Could you fire an issue to mark this as a follow-on, once the new
Kerby release is available, then this can be cleaned up accordingly?
2. In {{TestKMS}}, looks like the following change isn't relevant.
{noformat}
-        conf.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 64);
+        conf.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 128);
{noformat}
3. Not sure why the following are removed. Are you sure the two configurations are not usable?
The krb5.conf item can be set in case tests will rely on the env variable; the debug one can
be set by tests to allow verbose output or not.
{noformat}
- * MiniKdc sets 2 System properties when started and un-sets them when stopped:
- * <ul>
- *   <li>java.security.krb5.conf: set to the MiniKDC real/host/port</li>
- *   <li>sun.security.krb5.debug: set to the debug value provided in the
- *   configuration</li>
- * </ul>
{noformat}
4. In MiniKDC, why it needs resetDefaultRealm? I thought the desired realm can be set previously,
then SimpleKDC will take care of it.
5. I think Kerby SimpleKDC can be improved to do the synchronized in itself, rather than let
MiniKDC bother to do it.
{code}
+    synchronized (this) {
+      simpleKdc.createPrincipals(principals);
+    }
{code}



> Upgrade Hadoop MiniKDC with Kerby
> ---------------------------------
>
>                 Key: HADOOP-12911
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12911
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: test
>            Reporter: Jiajia Li
>            Assignee: Jiajia Li
>         Attachments: HADOOP-12911-v1.patch, HADOOP-12911-v2.patch, HADOOP-12911-v3.patch,
HADOOP-12911-v4.patch, HADOOP-12911-v5.patch
>
>
> As discussed in the mailing list, we’d like to introduce Apache Kerby into Hadoop.
Initially it’s good to start with upgrading Hadoop MiniKDC with Kerby offerings. Apache
Kerby (https://github.com/apache/directory-kerby), as an Apache Directory sub project, is
a Java Kerberos binding. It provides a SimpleKDC server that borrowed ideas from MiniKDC and
implemented all the facilities existing in MiniKDC. Currently MiniKDC depends on the old Kerberos
implementation in Directory Server project, but the implementation is stopped being maintained.
Directory community has a plan to replace the implementation using Kerby. MiniKDC can use
Kerby SimpleKDC directly to avoid depending on the full of Directory project. Kerby also provides
nice identity backends such as the lightweight memory based one and the very simple json one
for easy development and test environments.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message