hadoop-common-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Morel" <david.mo...@amakuru.net>
Subject Re: Question regarding WebHDFS security
Date Tue, 05 Jul 2016 20:31:12 GMT
On 5 Jul 2016, at 20:43, Benjamin Ross wrote:

> Hey David,
> Thanks.  Yep - that's the easy part.  Let me clarify.
>
>
> Consider that we have:
> 1. A Hadoop cluster running without Kerberos
> 2. A number of services contacting that hadoop cluster and retrieving 
> data from it using WebHDFS.
>
>
> Clearly the services don't need to login to WebHDFS using credentials 
> because the cluster isn't kerberized just yet.
>
>
> Now what happens when we enable Kerberos on the cluster?  We still 
> need to allow those services to contact the cluster without 
> credentials until we can upgrade them.  Otherwise we'll have 
> downtime.  So what can we do?
>
>
> As a possible solution, is there any way to allow unprotected access 
> from just those machines until we can upgrade them?

I doubt you can enable Kerberos without downtime anyway :) But apart 
from using Knox as mentioned by Larry (didn't use it so couldn't comment 
on that and wether it would support some sort of fallback allowing from 
near-zero downtime), I guess your apps will need support for both 
Kerberized and non-Kerberized HTTP, which you can drive with some master 
switch from something appropriate, be it DB or Zookeeper or whatever. In 
that case working on the client classes/apps and making them support 
both would be preliminary to anything else. But I may be missing the 
point again?

David

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@hadoop.apache.org
For additional commands, e-mail: user-help@hadoop.apache.org


Mime
View raw message