hadoop-mapreduce-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Morel" <david.mo...@amakuru.net>
Subject Re: Question regarding WebHDFS security
Date Tue, 05 Jul 2016 20:39:56 GMT
On 5 Jul 2016, at 22:31, David Morel wrote:

> On 5 Jul 2016, at 20:43, Benjamin Ross wrote:
>
>> Hey David,
>> Thanks.  Yep - that's the easy part.  Let me clarify.
>>
>>
>> Consider that we have:
>> 1. A Hadoop cluster running without Kerberos
>> 2. A number of services contacting that hadoop cluster and retrieving 
>> data from it using WebHDFS.
>>
>>
>> Clearly the services don't need to login to WebHDFS using credentials 
>> because the cluster isn't kerberized just yet.
>>
>>
>> Now what happens when we enable Kerberos on the cluster?  We still 
>> need to allow those services to contact the cluster without 
>> credentials until we can upgrade them.  Otherwise we'll have 
>> downtime.  So what can we do?
>>
>>
>> As a possible solution, is there any way to allow unprotected access 
>> from just those machines until we can upgrade them?
>
> I doubt you can enable Kerberos without downtime anyway :) But apart 
> from using Knox as mentioned by Larry (didn't use it so couldn't 
> comment on that and wether it would support some sort of fallback 
> allowing from near-zero downtime), I guess your apps will need support 
> for both Kerberized and non-Kerberized HTTP, which you can drive with 
> some master switch from something appropriate, be it DB or Zookeeper 
> or whatever. In that case working on the client classes/apps and 
> making them support both would be preliminary to anything else. But I 
> may be missing the point again?
>
> David

Actually, looking at the module I pointed to, it uses under the hood the 
LWP::Authen module that will transparently do that, since the way it 
works is the server drives the client behaviour. I had forgotten about 
that, my bad :( So you don't need a switch, just a library that acts 
according to the spec, and I suspect most languages would have one.

David

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@hadoop.apache.org
For additional commands, e-mail: user-help@hadoop.apache.org


Mime
View raw message