hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jakob Homan (JIRA)" <j...@apache.org>
Subject [jira] Commented: (HDFS-1023) Allow http server to start as regular principal if https principal not defined.
Date Fri, 05 Mar 2010 01:41:27 GMT

    [ https://issues.apache.org/jira/browse/HDFS-1023?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12841651#action_12841651
] 

Jakob Homan commented on HDFS-1023:
-----------------------------------

{quote}It is pretty amazing/disappointing that the normal HTTP/[machine] doesn't work. {quote}
I was pretty amazed at this too.  Definitely complicates deploying a secure cluster, although
only the NN and SNN need to have these combined keytabs, since they are the only https servers.
Line 299: http://hg.openjdk.java.net/jdk7/tl/jdk/file/893034df4ec2/src/share/classes/sun/security/ssl/krb5/KerberosClientKeyExchangeImpl.java

> Allow http server to start as regular principal if https principal not defined.
> -------------------------------------------------------------------------------
>
>                 Key: HDFS-1023
>                 URL: https://issues.apache.org/jira/browse/HDFS-1023
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>            Reporter: Jakob Homan
>            Assignee: Jakob Homan
>         Attachments: HDFS-1023-Y20.patch
>
>
> Currently limitations in Sun's KerbSSL implementation require the https server to be
run as "host/[machine]@realm." and another Sun KerbSSL limitation appears to require you to
store all principals in the same keytab, meaning fully functional, secured Namenodes require
combined keytabs.  However, it may be that one wishes to run a namenode without a secondary
namenode or other utilities that require https.  In this case, we should allow the http server
to start and log a warning that it will not be able to accept https connections.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message