hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Arpit Gupta (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-3466) The SPNEGO filter for the NameNode should come out of the web keytab file
Date Tue, 29 May 2012 21:28:23 GMT

    [ https://issues.apache.org/jira/browse/HDFS-3466?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13285147#comment-13285147
] 

Arpit Gupta commented on HDFS-3466:
-----------------------------------

{quote}
It is an unnecessary flexibility (adding extra complexity) to have 2 keys for a keytab. IMO,
we should consolidate both keys in one instead.
{quote}

Multiple keytabs are needed when you have multiple services needing access to HTTP principal.
For example if oozie will run on the same node as the namenode, then rather than sharing one
keytab that has hdfs, oozie and HTTP principals in one keytab you can create a different keytab
which just has HTTP principal.

We need to do this because as soon as you add the same principal do a different keytab, earlier
keytabs become invalidated.
                
> The SPNEGO filter for the NameNode should come out of the web keytab file
> -------------------------------------------------------------------------
>
>                 Key: HDFS-3466
>                 URL: https://issues.apache.org/jira/browse/HDFS-3466
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: name-node, security
>    Affects Versions: 1.1.0, 2.0.0-alpha
>            Reporter: Owen O'Malley
>            Assignee: Owen O'Malley
>         Attachments: hdfs-3466-b1.patch, hdfs-3466-trunk.patch
>
>
> Currently, the spnego filter uses the DFS_NAMENODE_KEYTAB_FILE_KEY to find the keytab.
It should use the DFS_WEB_AUTHENTICATION_KERBEROS_KEYTAB_KEY to do it.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message