hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gary Helmling (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-15254) Support fixed domain name in Kerberos name for HBase replication cross realm trust setup
Date Thu, 11 Feb 2016 20:51:18 GMT

    [ https://issues.apache.org/jira/browse/HBASE-15254?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15143483#comment-15143483
] 

Gary Helmling commented on HBASE-15254:
---------------------------------------

bq. To save all this efforts users may prefer to have a fixed domain name in the principal
for all the hosts and in that case HBase replication will fail because currently we are using
client principal to create sasl client instead we need to use server principal to create sasl
client and establish the sasl context

Could this be related to HBASE-14866?  Could you describe your replication setup a bit more,
in particular, how have you configured the replication peer for the destination cluster? 
Did you override the values for {{hbase.master.kerberos.principal}} and {{hbase.regionserver.kerberos.principal}}
for the destination cluster when creating the peer cluster config?  As I understand it, your
principal would look like: hbase/instance1@REALM1.COM for the source cluster and hbase/instance2@REALM2.COM
for the destination.  Is this correct?

We have replication working with cross-ream trust here. Kerberos principal instance component
is the FQDN for us, but primary component differs between the two clusters for isolation.

> Support fixed domain name in Kerberos name for HBase replication cross realm trust setup
> ----------------------------------------------------------------------------------------
>
>                 Key: HBASE-15254
>                 URL: https://issues.apache.org/jira/browse/HBASE-15254
>             Project: HBase
>          Issue Type: Improvement
>            Reporter: Ashish Singhi
>            Assignee: Ashish Singhi
>              Labels: kerberos, replication, security
>
> HBase replication will not work with Kerberos cross realm trust when domain name in the
principal is not hostname. 
> A mail was also sent related to this in user mailing list, [mail | https://groups.google.com/forum/#!topic/nosql-databases/AYhQnU9Fc7E]
> The problem here is when ever a user adds a new host to cluster he/she also needs to
add a principal name for that host in KDC, generate a new keytab file and update it across
other hosts accordingly if required. 
> To save all this efforts users may prefer to have a fixed domain name in the principal
for all the hosts and in that case HBase replication will fail because currently we are using
client principal to create sasl client instead we need to use server principal to create sasl
client and establish the sasl context



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message