Details
-
Bug
-
Status: Closed
-
Minor
-
Resolution: Fixed
-
0.4.0
-
None
Description
The HTTP principal is required for SPNEGO, so we now generate it and then include it in all of the service keytabs. Unfortunately, we add it to these keytabs using kadmin's xst command, which generates a new set of credentials for the HTTP principal and invalidates the old ones. A more correct approach would be to export the credential once and then inject it into the service keytabs using ktutil (though that doesn't change the fact that the way we get the service keytabs onto the hadoop nodes is insecure). Attaching a patch that implements this approach.