You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@hadoop.apache.org by wzc <wz...@gmail.com> on 2014/01/14 15:42:45 UTC

Re: client authentication when kerberos enabled

Any help would be appreciated!


2013/12/25 wzc <wz...@gmail.com>

> Hi all,
>
> To access a Kerberos-protected cluster,  our hadoop clients need to get a
> kerberos ticket (kinit user@realm) before submitting jobs. We want our
> clients to  get rid of kerberos password, so we would like to use keytabs
> for authentication. Here we export pincipals with the form
> 'username/host@realm'  and deploy them to our clients' hosts.
>
> In addition, we want to make sure the host in the keytab matches the host
> which one client submit job from.  Currently there is no host check on
> client principal auth.
>
> I have found some jira which maybe helpful:
> https://issues.apache.org/jira/browse/HDFS-1003
> https://issues.apache.org/jira/browse/HADOOP-7215
>
> I have no idea how to achieve it,  I also wonder whether such check is
> reasonable.
> can anyone give me some hint?
>
>
>