You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-user@hadoop.apache.org by wzc <wz...@gmail.com> on 2013/12/24 17:53:44 UTC

client authentication when kerberos enabled

Hi all,

To access a Kerberos-protected cluster,  our hadoop clients need to get a
kerberos ticket (kinit user@realm) before submitting jobs. We want our
clients to  get rid of kerberos password, so we would like to use keytabs
for authentication. Here we export pincipals with the form
'username/host@realm'  and deploy them to our clients' hosts.

In addition, we want to make sure the host in the keytab matches the host
which one client submit job from.  Currently there is no host check on
client principal auth.

I have found some jira which maybe helpful:
https://issues.apache.org/jira/browse/HDFS-1003
https://issues.apache.org/jira/browse/HADOOP-7215

I have no idea how to achieve it,  I also wonder whether such check is
reasonable.
can anyone give me some hint?

Re: client authentication when kerberos enabled

Posted by wzc <wz...@gmail.com>.

Any help would be appreciated!


2013/12/25 wzc <wz...@gmail.com>

> Hi all,
>
> To access a Kerberos-protected cluster,  our hadoop clients need to get a
> kerberos ticket (kinit user@realm) before submitting jobs. We want our
> clients to  get rid of kerberos password, so we would like to use keytabs
> for authentication. Here we export pincipals with the form
> 'username/host@realm'  and deploy them to our clients' hosts.
>
> In addition, we want to make sure the host in the keytab matches the host
> which one client submit job from.  Currently there is no host check on
> client principal auth.
>
> I have found some jira which maybe helpful:
> https://issues.apache.org/jira/browse/HDFS-1003
> https://issues.apache.org/jira/browse/HADOOP-7215
>
> I have no idea how to achieve it,  I also wonder whether such check is
> reasonable.
> can anyone give me some hint?
>
>
>

Re: client authentication when kerberos enabled

Posted by wzc <wz...@gmail.com>.

Any help would be appreciated!


2013/12/25 wzc <wz...@gmail.com>

> Hi all,
>
> To access a Kerberos-protected cluster,  our hadoop clients need to get a
> kerberos ticket (kinit user@realm) before submitting jobs. We want our
> clients to  get rid of kerberos password, so we would like to use keytabs
> for authentication. Here we export pincipals with the form
> 'username/host@realm'  and deploy them to our clients' hosts.
>
> In addition, we want to make sure the host in the keytab matches the host
> which one client submit job from.  Currently there is no host check on
> client principal auth.
>
> I have found some jira which maybe helpful:
> https://issues.apache.org/jira/browse/HDFS-1003
> https://issues.apache.org/jira/browse/HADOOP-7215
>
> I have no idea how to achieve it,  I also wonder whether such check is
> reasonable.
> can anyone give me some hint?
>
>
>

Re: client authentication when kerberos enabled

Posted by wzc <wz...@gmail.com>.

Any help would be appreciated!


2013/12/25 wzc <wz...@gmail.com>

> Hi all,
>
> To access a Kerberos-protected cluster,  our hadoop clients need to get a
> kerberos ticket (kinit user@realm) before submitting jobs. We want our
> clients to  get rid of kerberos password, so we would like to use keytabs
> for authentication. Here we export pincipals with the form
> 'username/host@realm'  and deploy them to our clients' hosts.
>
> In addition, we want to make sure the host in the keytab matches the host
> which one client submit job from.  Currently there is no host check on
> client principal auth.
>
> I have found some jira which maybe helpful:
> https://issues.apache.org/jira/browse/HDFS-1003
> https://issues.apache.org/jira/browse/HADOOP-7215
>
> I have no idea how to achieve it,  I also wonder whether such check is
> reasonable.
> can anyone give me some hint?
>
>
>

Re: client authentication when kerberos enabled

Posted by wzc <wz...@gmail.com>.

Any help would be appreciated!


2013/12/25 wzc <wz...@gmail.com>

> Hi all,
>
> To access a Kerberos-protected cluster,  our hadoop clients need to get a
> kerberos ticket (kinit user@realm) before submitting jobs. We want our
> clients to  get rid of kerberos password, so we would like to use keytabs
> for authentication. Here we export pincipals with the form
> 'username/host@realm'  and deploy them to our clients' hosts.
>
> In addition, we want to make sure the host in the keytab matches the host
> which one client submit job from.  Currently there is no host check on
> client principal auth.
>
> I have found some jira which maybe helpful:
> https://issues.apache.org/jira/browse/HDFS-1003
> https://issues.apache.org/jira/browse/HADOOP-7215
>
> I have no idea how to achieve it,  I also wonder whether such check is
> reasonable.
> can anyone give me some hint?
>
>
>