Great ! Thanks Rob! I will try it out today and reach out if I hit issues.
Thank you for your help. Di On Wed, Apr 4, 2018 at 4:15 PM, Robert Levas <rle...@hortonworks.com> wrote: > If you would like the HDFS keytab file installed on the same host as your > component, you can add a reference to that Kerberos identity in your > Kerberos.json file. Ideally this reference would be added to the > "identities" section for the specific component. The declaration would > look something like this: > > { > "name": "custom_component_hdfs", > "reference": "/HDFS/NAMENODE/hdfs" > } > > For example: > > "components": [ > { > "name": "MY_COMPONENT", > ... > "identities": [ > ... > { > "name": "custom_component_hdfs ", > "reference": "/HDFS/NAMENODE/hdfs" > } > ... > ], > ... > }, > > I hope this helps. > > Rob > > > On 4/4/18, 4:02 PM, "Di Li" <osji...@gmail.com> wrote: > > Hi Rob, > > Thanks for the explanation. I don't have issues with DN per se. My case > falls into the "*since then some services need to create directories > and > change permissions on them as the HDFS root user upon installation * > category > that you mentioned. I paired my service with DN assuming > hdfs.headless.keytab would be available. > > Is that possible for my service's kerberos.json to define a dependency > on > hdfs.headless.keytab ? This way, I can still cohost my component with > DN > (hard requirement ...) but still have the keytab available (no need to > modify HDFS kerberos.json) > > Thanks. > > Di > > On Wed, Apr 4, 2018 at 3:17 PM, Robert Levas <rle...@hortonworks.com> > wrote: > > > The DN does not need to authenticate as the "root" HDFS user to > perform > > administrative tasks. > > > > A while back, we started an initiative to reduce the exposure of the > HDFS > > "root" user due to security concerns. In doing so, we tightened up > where > > we distribute the HDFS keytab file. However since then some services > need > > to create directories and change permissions on them as the HDFS > root user > > upon installation; and thus, the keytab file is being distributed > more than > > some security-conscious people would like. Until we find a way to > > centralize the creation of these HDFS resources, we need to deal > with this. > > > > You should not normally need the HDFS keytab file on DN hosts... are > you > > having an issue? > > > > Rob > > > > > > On 4/4/18, 2:15 PM, "Di Li" <osji...@gmail.com> wrote: > > > > Hi folks, > > > > I noticed hdfs.headless.keytab only exists on NameNode and HDFS > client > > node. > > > > Could someone please share some details on why DN does not need > the > > hdfs.headless.keytab ? I thought we need it in order for DN to > work > > against > > NN. > > > > Any negative impacts if I always include hdfs.headless.keytab on > the DN > > nodes (such as ensure HDFS client always cohost with DNs) ? > > > > Thank you. > > > > Di > > > > > > > > >