You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Xiaoqiao He (Jira)" <ji...@apache.org> on 2020/03/22 11:57:00 UTC

[jira] [Commented] (HADOOP-15440) Support kerberos principal name pattern for KerberosAuthenticationHandler

    [ https://issues.apache.org/jira/browse/HADOOP-15440?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17064250#comment-17064250 ] 

Xiaoqiao He commented on HADOOP-15440:
--------------------------------------

Thanks [~eyang] for your suggestions and I am very sorry for missing this JIRA for long time.
{quote}for case `test/_HOST/test`, it will be replaced to `test/$hostname/test`.
It probably should throw error if the format is not a proper kerberos service principal.{quote}
it could be checked in the following statement for this case IIUC.
{quote}Principal krbPrincipal = new KerberosPrincipal(spng);{quote}
{quote}I think Hadoop is using hadoop.security.dns.interface to determine which hostname to bind. This may help for the hostname lookup.{quote}
It is true that using `hadoop.security.dns.interface` is more accurate. Actually this logic is implement completely in `SecurityUtil` but when I want to import `hadoop-common` to sub-module `hadoop-auth` it throws cyclic reference exception. So my question is if we need add same logic at sub-module `hadoop-auth` or some other solutions? Sorry I am not very familiar with this module. Thanks again.

> Support kerberos principal name pattern for KerberosAuthenticationHandler
> -------------------------------------------------------------------------
>
>                 Key: HADOOP-15440
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15440
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>            Reporter: Xiaoqiao He
>            Assignee: Xiaoqiao He
>            Priority: Major
>         Attachments: HADOOP-15440-trunk.001.patch, HADOOP-15440.002.patch
>
>
> When setup HttpFS server or KMS server in security mode, we have to config kerberos principal for these service, it doesn't support to convert Kerberos principal name pattern to valid Kerberos principal names whereas NameNode/DataNode and many other service can do that, so it makes confused for users. so I propose to replace hostname pattern with hostname, which should be fully-qualified domain name.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org