hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Arpit Gupta (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-3466) The SPNEGO filter for the NameNode should come out of the web keytab file
Date Tue, 29 May 2012 22:56:23 GMT

    [ https://issues.apache.org/jira/browse/HDFS-3466?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13285230#comment-13285230
] 

Arpit Gupta commented on HDFS-3466:
-----------------------------------

@Aaron

The reason i think it will be easier is because if there is a separate file for HTTP principal
for a give host, even if you regenerate the keytab for that host the latest keytab will still
be valid for that host so the user would not have to know.

Regarding whether to change the keyname as @Alejandro suggested or fall back if the key is
not found this got changed when HDFS-2617 was committed. Before that trunk used DFS_WEB_AUTHENTICATION_KERBEROS_KEYTAB_KEY
key for the keytab for the HTTP principal. Branch 1.0 still uses the same key. So the users
that are already using webhdfs on a secure cluster will have to change their configs if we
change the config keys.
                
> The SPNEGO filter for the NameNode should come out of the web keytab file
> -------------------------------------------------------------------------
>
>                 Key: HDFS-3466
>                 URL: https://issues.apache.org/jira/browse/HDFS-3466
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: name-node, security
>    Affects Versions: 1.1.0, 2.0.0-alpha
>            Reporter: Owen O'Malley
>            Assignee: Owen O'Malley
>         Attachments: hdfs-3466-b1.patch, hdfs-3466-trunk.patch
>
>
> Currently, the spnego filter uses the DFS_NAMENODE_KEYTAB_FILE_KEY to find the keytab.
It should use the DFS_WEB_AUTHENTICATION_KERBEROS_KEYTAB_KEY to do it.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message