Mubashir Kazia created HADOOP-10183:
---------------------------------------
Summary: Allow use of UPN style principals in keytab files
Key: HADOOP-10183
URL: https://issues.apache.org/jira/browse/HADOOP-10183
Project: Hadoop Common
Issue Type: Improvement
Components: security
Reporter: Mubashir Kazia
Hadoop currently only allows SPN style (E.g. hdfs/node.fqdn@REALM) principals
in keytab files in a cluster configured with Kerberos security. This cause the
burden of creating multiple principals and keytabs for each node of the
cluster. Active Directory allows the use of single principal across multiple
hosts if the SPNs for different hosts have been setup correctly on the
principal. With this scheme we have the server side using keytab file with UPN
style (E.g. hdfs@REALM) principal for a given service for all the nodes of the
cluster. The client side will request service tickets with SPN and it's own TGT
and Active Directory will grant service tickets with the correct secret.
This will simplify the use of principals and keytab files for Active Directory
users with one principal for each service across all the nodes of the cluster.
I have a patch to allow the use of UPN style principals in Hadoop. The patch
will not affect the use of SPN style principals. I couldn't figure out a way to
write test cases against MiniKDC so I have included the Oracle/Sun sample Sasl
server and client code along with the configuration I used to confirm this
scheme works.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
