Thanks @Vinod and proxy-users was considered. But what we want to support is accessing multiple secured Hadoop. If we want to initialize the Kerberos credentials, we need config the file of /etc/krb5.conf. If we want to access two different Kerberos services(specified KDC), we can not run JVM process with two files of /etc/krb5.conf. That is why cross-realm can work because we only need to login with one KDC. Since we can take users' keytab files and proxy is not the critical problem for us.
Please correct me if proxy-users can proxy different users from multiple secured Hadoop clusters. Regards On Tue, Dec 24, 2019 at 1:14 PM Vinod Kumar Vavilapalli <vino...@apache.org> wrote: > You are looking for the proxy-users pattern. See here: > https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/Superusers.html > > Thanks > +Vinod > > On Dec 24, 2019, at 9:49 AM, tobe <tobeg3oo...@gmail.com> wrote: > > Currently Hadoop relies on Kerberos to do authentication and > authorization. For single user, we can initialize clients with keytab > files in command-line or Java program. > > But sometimes we need to access Hadoop as multiple users. For example, we > build the web service to view users' HDFS files. We have authorization to > get user name and use this user's keytab to login before requesting HDFS. > However, this doesn't work for multiple Hadoop clusters and multiple KDC. > > Currently the only way to do that is enable cross-realm for these KDC. But > in some scenarios we can not change the configuration of KDC and want > single process to switch the Kerberos user on the fly without much overhead. > > Here is the related discussion in StackOverflow: > > - > > https://stackoverflow.com/questions/15126295/using-java-programmatically-log-in-multiple-kerberos-realms-with-different-keyta# > > <https://stackoverflow.com/questions/15126295/using-java-programmatically-log-in-multiple-kerberos-realms-with-different-keyta> > - > > https://stackoverflow.com/questions/57008499/data-transfer-between-two-kerberos-secured-cluster > , > - > > https://stackoverflow.com/questions/22047145/hadoop-distcp-between-two-securedkerberos-clusters > , > - > > https://stackoverflow.com/questions/39648106/access-two-secured-kerberos-hadoop-hbase-clusters-from-the-same-process > > - > > https://stackoverflow.com/questions/1437281/reload-kerberos-config-in-java-without-restarting-jvm > > > Regards > > >
