KMS: Support for multiple Kerberos principals. (tucu)
This commit is contained in:
parent
52945a33cc
commit
fad4cd85b3
|
@ -834,6 +834,8 @@ Release 2.6.0 - UNRELEASED
|
||||||
HADOOP-11105. MetricsSystemImpl could leak memory in registered callbacks.
|
HADOOP-11105. MetricsSystemImpl could leak memory in registered callbacks.
|
||||||
(Chuan Liu via cnauroth)
|
(Chuan Liu via cnauroth)
|
||||||
|
|
||||||
|
KMS: Support for multiple Kerberos principals. (tucu)
|
||||||
|
|
||||||
Release 2.5.1 - 2014-09-05
|
Release 2.5.1 - 2014-09-05
|
||||||
|
|
||||||
INCOMPATIBLE CHANGES
|
INCOMPATIBLE CHANGES
|
||||||
|
|
|
@ -45,6 +45,7 @@ import java.io.InputStream;
|
||||||
import java.io.OutputStream;
|
import java.io.OutputStream;
|
||||||
import java.io.OutputStreamWriter;
|
import java.io.OutputStreamWriter;
|
||||||
import java.io.Writer;
|
import java.io.Writer;
|
||||||
|
import java.lang.reflect.UndeclaredThrowableException;
|
||||||
import java.net.HttpURLConnection;
|
import java.net.HttpURLConnection;
|
||||||
import java.net.SocketTimeoutException;
|
import java.net.SocketTimeoutException;
|
||||||
import java.net.URI;
|
import java.net.URI;
|
||||||
|
@ -400,6 +401,8 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension,
|
||||||
});
|
});
|
||||||
} catch (IOException ex) {
|
} catch (IOException ex) {
|
||||||
throw ex;
|
throw ex;
|
||||||
|
} catch (UndeclaredThrowableException ex) {
|
||||||
|
throw new IOException(ex.getUndeclaredThrowable());
|
||||||
} catch (Exception ex) {
|
} catch (Exception ex) {
|
||||||
throw new IOException(ex);
|
throw new IOException(ex);
|
||||||
}
|
}
|
||||||
|
|
|
@ -602,7 +602,31 @@ $ keytool -genkey -alias tomcat -keyalg RSA
|
||||||
|
|
||||||
*** HTTP Kerberos Principals Configuration
|
*** HTTP Kerberos Principals Configuration
|
||||||
|
|
||||||
TBD
|
When KMS instances are behind a load-balancer or VIP, clients will use the
|
||||||
|
hostname of the VIP. For Kerberos SPNEGO authentication, the hostname of the
|
||||||
|
URL is used to construct the Kerberos service name of the server,
|
||||||
|
<<<HTTP/#HOSTNAME#>>>. This means that all KMS instances must have a Kerberos
|
||||||
|
service name with the load-balancer or VIP hostname.
|
||||||
|
|
||||||
|
In order to be able to access directly a specific KMS instance, the KMS
|
||||||
|
instance must also have Keberos service name with its own hostname. This is
|
||||||
|
required for monitoring and admin purposes.
|
||||||
|
|
||||||
|
Both Kerberos service principal credentials (for the load-balancer/VIP
|
||||||
|
hostname and for the actual KMS instance hostname) must be in the keytab file
|
||||||
|
configured for authentication. And the principal name specified in the
|
||||||
|
configuration must be '*'. For example:
|
||||||
|
|
||||||
|
+---+
|
||||||
|
<property>
|
||||||
|
<name>hadoop.kms.authentication.kerberos.principal</name>
|
||||||
|
<value>*</value>
|
||||||
|
</property>
|
||||||
|
+---+
|
||||||
|
|
||||||
|
<<NOTE:>> If using HTTPS, the SSL certificate used by the KMS instance must
|
||||||
|
be configured to support multiple hostnames (see Java 7
|
||||||
|
<<<keytool>> SAN extension support for details on how to do this).
|
||||||
|
|
||||||
*** HTTP Authentication Signature
|
*** HTTP Authentication Signature
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue