hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Allen Wittenauer (JIRA)" <j...@apache.org>
Subject [jira] Commented: (HDFS-1023) Allow http server to start as regular principal if https principal not defined.
Date Fri, 05 Mar 2010 01:31:27 GMT

    [ https://issues.apache.org/jira/browse/HDFS-1023?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12841645#action_12841645
] 

Allen Wittenauer commented on HDFS-1023:
----------------------------------------

> another Sun KerbSSL limitation appears to require you to store all principals in the
same keytab

FWIW, most of the implementations (at least that are exposed to the user) require that all
principals that might get used for a given service are stored in one keytab.  Even so:

> Sun's KerbSSL implementation require the https server to be run as "host/[machine]@realm.

It is pretty amazing/disappointing that the normal HTTP/[machine] doesn't work. :(

> Allow http server to start as regular principal if https principal not defined.
> -------------------------------------------------------------------------------
>
>                 Key: HDFS-1023
>                 URL: https://issues.apache.org/jira/browse/HDFS-1023
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>            Reporter: Jakob Homan
>            Assignee: Jakob Homan
>         Attachments: HDFS-1023-Y20.patch
>
>
> Currently limitations in Sun's KerbSSL implementation require the https server to be
run as "host/[machine]@realm." and another Sun KerbSSL limitation appears to require you to
store all principals in the same keytab, meaning fully functional, secured Namenodes require
combined keytabs.  However, it may be that one wishes to run a namenode without a secondary
namenode or other utilities that require https.  In this case, we should allow the http server
to start and log a warning that it will not be able to accept https connections.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message