You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "vincent zeng (Jira)" <ji...@apache.org> on 2021/11/22 10:39:00 UTC

[jira] [Commented] (HADOOP-16779) Support dynamic change Kerberos user and KDC to access multiple Hadoop clusters

    [ https://issues.apache.org/jira/browse/HADOOP-16779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17447299#comment-17447299 ] 

vincent zeng commented on HADOOP-16779:
---------------------------------------

Any progress on this?

> Support dynamic change Kerberos user and KDC to access multiple Hadoop clusters
> -------------------------------------------------------------------------------
>
>                 Key: HADOOP-16779
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16779
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>            Reporter: chendihao
>            Priority: Major
>
> Currently Hadoop relies on Kerberos to do authentication and authorization. For single user, we can initialize  clients with keytab files in command-line or Java program.
> But sometimes we need to access Hadoop as multiple users. For example, we build the web service to view users' HDFS files. We have authorization to get user name and use this user's keytab to login before requesting HDFS. However, this doesn't work for multiple Hadoop clusters and multiple KDC. 
> Currently the only way to do that is enable cross-realm for these KDC. But in some scenarios we can not change the configuration of KDC and want single process to switch the Kerberos user on the fly without much overhead.
> Here is the related discussion in StackOverflow:
>  * [https://stackoverflow.com/questions/15126295/using-java-programmatically-log-in-multiple-kerberos-realms-with-different-keyta#|https://stackoverflow.com/questions/15126295/using-java-programmatically-log-in-multiple-kerberos-realms-with-different-keyta]
>  * [https://stackoverflow.com/questions/57008499/data-transfer-between-two-kerberos-secured-cluster] ，
>  * [https://stackoverflow.com/questions/22047145/hadoop-distcp-between-two-securedkerberos-clusters] ，
>  * [https://stackoverflow.com/questions/39648106/access-two-secured-kerberos-hadoop-hbase-clusters-from-the-same-process] 
>  * [https://stackoverflow.com/questions/1437281/reload-kerberos-config-in-java-without-restarting-jvm]



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org