[
https://issues.apache.org/jira/browse/HADOOP-17005?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17092865#comment-17092865
]
Maziar Mirzazad commented on HADOOP-17005:
------------------------------------------
Thanks [[email protected]] for your input.
[~smarella] and I have been testing changes against 2.9.2 and wanted to get
input from community and then work on a patch against trunk.
Our change, includes login tries for Service Principal and User Principal.
Basically login process will try all the configured Keytab paths (usually few),
and principal type combinations (SPN/UPN) until it is successful. Also we are
assuming realm should be available through getDefaultRealm function. In case of
unsuccessful login, it falls back to the current logged in user, which might be
unix principal.
I can make the changes against trunk and submit the patch.
cc: [~jrottinghuis]
> Add capability in hadoop-client to automatically login from a client/service
> keytab
> -----------------------------------------------------------------------------------
>
> Key: HADOOP-17005
> URL: https://issues.apache.org/jira/browse/HADOOP-17005
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 3.2.1
> Reporter: Maziar Mirzazad
> Priority: Minor
>
> With existing Hadoop client implementation, client applications for services
> that are using kerberized clusters, need to handle Keytab based login in
> their code, before doing HDFS or M/R API calls.
> To avoid that, we are proposing adding Keytab based auto login to hadoop
> client library with configurable and default paths for Keytabs.
> This functionality helps new service owners as well as those transitioning
> from non-kerberized cluster to kerberized ones.
> Auto login, should avoid extra login attempts in case a valid TGT is already
> available.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
