You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Devaraj Das (JIRA)" <ji...@apache.org> on 2014/01/02 22:59:53 UTC

[jira] [Commented] (HADOOP-10183) Allow use of UPN style principals in keytab files

    [ https://issues.apache.org/jira/browse/HADOOP-10183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13860842#comment-13860842 ] 

Devaraj Das commented on HADOOP-10183:
--------------------------------------

When we did this initially in Hadoop (sharing the same principal/keytab between DataNodes like dn@REALM), we ran into issues where the NameNode would reject simultaneous authentication requests from DataNodes assuming that someone is trying to do a replay attack. This was noticeable in the cluster startup when all datanodes would try to authenticate themselves.

(Thinking aloud) What you plan to do can be supported by having the same keytab/principal on all the hosts without any code change, no?

> Allow use of UPN style principals in keytab files
> -------------------------------------------------
>
>                 Key: HADOOP-10183
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10183
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 2.2.0
>            Reporter: Mubashir Kazia
>            Assignee: Mubashir Kazia
>         Attachments: AppConnection.java, HADOOP-10183.patch, HADOOP-10183.patch.1, Jaas.java, SaslTestClient.java, SaslTestServer.java, hdfs.keytab, jaas-krb5.conf, krb5.conf
>
>
> Hadoop currently only allows SPN style (E.g. hdfs/node.fqdn@REALM) principals in keytab files in a cluster configured with Kerberos security. This cause the burden of creating multiple principals and keytabs for each node of the cluster. Active Directory allows the use of single principal across multiple hosts if the SPNs for different hosts have been setup correctly on the principal. With this scheme we have the server side using keytab file with UPN style (E.g. hdfs@REALM) principal for a given service for all the nodes of the cluster. The client side will request service tickets with SPN and it's own TGT and Active Directory will grant service tickets with the correct secret. 
> This will simplify the use of principals and keytab files for Active Directory users with one principal for each service across all the nodes of the cluster. 
> I have a patch to allow the use of UPN style principals in Hadoop. The patch will not affect the use of SPN style principals. I couldn't figure out a way to write test cases against MiniKDC so I have included the Oracle/Sun sample Sasl server and client code along with the configuration I used to confirm this scheme works. 



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)