hadoop-common-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Dean <Tony.D...@sas.com>
Subject hadoop security API
Date Sun, 01 Jul 2012 17:12:05 GMT

The security documentation specifies how to test a secure cluster by using kinit and thus
adding the Kerberos principal TGT to the ticket cache in which the hadoop client code uses
to acquire service tickets for use in the cluster.  What if I created an application that
used the hadoop API to communicate with hdfs and/or mapred protocols, is there a programmatic
way to inform hadoop to use a particular Kerberos principal name with a keytab that contains
its password key?  I didn't see a way to integrate with JAAS KrbLoginModule.  I was thinking
that if I could inject a callbackHandler, I could pass the principal name and the KrbLoginModule
already has options to specify keytab.  Is this something that is possible?  Or is this just
not the right way to do things?  I read about impersonation where authentication is performed
with a system user such as "oozie" and then it just impersonates other users so that permissions
are based on the impersonated user instead of the system user.

Please help me understand my options for executing hadoop tasks in a multi-tenant application.

Thank you!

Tony Dean
SAS Institute Inc.
Senior Software Developer

  • Unnamed multipart/related (inline, None, 0 bytes)
View raw message