hadoop-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Doug Cutting <cutt...@apache.org>
Subject Re: HTTP transport?
Date Fri, 06 Nov 2009 21:06:29 GMT
Kan Zhang wrote:
> Thanks for pointing this out. I did a little testing on it. It seems that
> when you use Kerberos cipher suites with SSL, the Kerberos service name for
> a TLS server has to be literally "host." For example, a TLS server running
> on the machine mach1.imc.org in the Kerberos realm IMC.ORG must use
> host/mach1.imc.org@IMC.ORG as its Kerberos principal name. I couldn't find a
> way to specify a different service name. Can someone confirm this? This can
> be a limitation since we typically run DN and TT on the same set of nodes.

This is unfortunate.  It looks to be part of the specification.

BTW, I found an approach to Kerberos over HTTP bypassing SPNEGO:

http://beamdocs.fnal.gov/DocDB/0019/001987/001/KMJ3_1-guide.pdf

Starting on page 13, he suggests having an applet that the browser loads 
to create a ticket.  The ticket is created by the user's browser talking 
directly to Kerberos.  Then the ticket can be used in subsequent 
requests to identify the user.  An application using HTTP could 
similarly contact Kerberos directly to create tickets that are sent with 
requests.  No multi-step HTTP handshake is thus required.

Doug

Mime
View raw message