On 5 Jul 2016, at 22:31, David Morel wrote:
On 5 Jul 2016, at 20:43, Benjamin Ross wrote:
Hey David,
Thanks. Yep - that's the easy part. Let me clarify.
Consider that we have:
1. A Hadoop cluster running without Kerberos
2. A number of services contacting that hadoop cluster and retrieving
data from it using WebHDFS.
Clearly the services don't need to login to WebHDFS using credentials
because the cluster isn't kerberized just yet.
Now what happens when we enable Kerberos on the cluster? We still
need to allow those services to contact the cluster without
credentials until we can upgrade them. Otherwise we'll have
downtime. So what can we do?
As a possible solution, is there any way to allow unprotected access
from just those machines until we can upgrade them?
I doubt you can enable Kerberos without downtime anyway :) But apart
from using Knox as mentioned by Larry (didn't use it so couldn't
comment on that and wether it would support some sort of fallback
allowing from near-zero downtime), I guess your apps will need support
for both Kerberized and non-Kerberized HTTP, which you can drive with
some master switch from something appropriate, be it DB or Zookeeper
or whatever. In that case working on the client classes/apps and
making them support both would be preliminary to anything else. But I
may be missing the point again?
David
Actually, looking at the module I pointed to, it uses under the hood the
LWP::Authen module that will transparently do that, since the way it
works is the server drives the client behaviour. I had forgotten about
that, my bad :( So you don't need a switch, just a library that acts
according to the spec, and I suspect most languages would have one.
David
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@hadoop.apache.org
For additional commands, e-mail: user-h...@hadoop.apache.org
