Tianyin Xu created HADOOP-12676: ----------------------------------- Summary: Consider the default keytab file of Kerberos Key: HADOOP-12676 URL: https://issues.apache.org/jira/browse/HADOOP-12676 Project: Hadoop Common Issue Type: Improvement Components: security Affects Versions: 2.6.2, 2.7.1 Reporter: Tianyin Xu Priority: Minor
In the current implementation of {{SecurityUtil}}, we do not consider the default keytab file of Kerberos (which is {{/etc/krb5.keytab}} in [MIT Kerberos defaults|http://web.mit.edu/kerberos/krb5-1.13/doc/mitK5defaults.html#paths]). If the user does not set the keytab file, an {{IOException}} will be thrown. {code:title=SecurityUtil.java|borderStyle=solid} 230 public static void login(final Configuration conf, 231 final String keytabFileKey, final String userNameKey, String hostname) 232 throws IOException { ... 237 String keytabFilename = conf.get(keytabFileKey); 238 if (keytabFilename == null || keytabFilename.length() == 0) { 239 throw new IOException("Running in secure mode, but config doesn't have a keytab"); 240 } {code} However, the default keytab location is assumed by some of the callers. For example, in [{{yarn-default.xml}}|https://hadoop.apache.org/docs/r2.7.1/hadoop-yarn/hadoop-yarn-common/yarn-default.xml], the defaults of {{yarn.resourcemanager.keytab}}, {{yarn.nodemanager.keytab}}, and {{yarn.timeline-service.keytab}} all point to {{/etc/krb5.keytab}}. On the other hand, these callers directly call the {{SecurityUtil.login}} method; therefore, the docs are incorrect that the defaults are actually {{null}} (as we do not have a default)... {code:title=NodeManager.java|borderStyle=solid} protected void doSecureLogin() throws IOException { SecurityUtil.login(getConfig(), YarnConfiguration.NM_KEYTAB, YarnConfiguration.NM_PRINCIPAL); } {code} I don't know if we should make {{/etc/krb5.keytab}} as the default in {{SecurityUtil}}, or ask the callers to correct their assumptions. I post here as a potential improvement. Thanks! -- This message was sent by Atlassian JIRA (v6.3.4#6332)