hadoop-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Zesheng Wu <wuzeshen...@gmail.com>
Subject Re: Programmatic Kerberos login with password to a secure cluster
Date Tue, 17 Jun 2014 01:57:43 GMT
Perhaps you can use LDAP(or any other possible way) to do the
authentication on the WebServer, and then let the WebServer as an
authenticated proxy user to  agent real users requests.

2014-06-17 4:11 GMT+08:00 Geoff Thompson <geoff@bearpeak.com>:

> Greetings,
> We are developing a YARN application where the client executes on a
> machine that is external to a secure cluster. I have been able to
> successfully do a Kerberos login by manually running the kinit command on
> the external machine then starting the client. However, our goal is to not
> require the user to run kinit.
> I have been able to programmatically login using a keytab file using
> method loginUserFromKeytab from class
> org.apache.hadoop.security.UserGroupInformation. This is very useful.
> However, we also want to see if we can not require the use of a keytab file
> and allow the user to enter a password into the UI for our YARN client.
> Essentially I would like to write a “loginUserWithPassword” method. I can
> see that this would require creating a
> javax.security.auth.login.LoginContext with my own callback handler.
> Reading the UserGroupInformation source code I see that a LoginContext
> needs to be built with a “HadoopConfiguration” which is a private static
> class inside UserGroupInformation. This class is too difficult to duplicate
> in my own code since it has too many dependencies on other private details
> in class UserGroupInformation plus dependencies on other non-public classes
> in the org.apache.hadoop.security package.
> Does any one know how I could do a programmatic Kerberos login with a
> password? Or perhaps access a HadoopConfiguration?
> Thanks,
> Geoff

Best Wishes!

Yours, Zesheng

View raw message