[HDFS-16768] KMS should have it's own Kerberos principal - ASF JIRA

XML

Word

Printable

JSON

Details

Type: New Feature
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: 3.4.0, 3.3.5
Fix Version/s: None
Component/s: kms
Labels:
None
Environment:

Demonstrated using the trunk code base on UBI 8 under Java 11.

Target Version/s:

3.3.9

Description

Starting the KMS service without first running `kinit` fails when using HDFS to store the keys, throwing:

java.io.IOException: org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS]

with the following underlying cause:

Caused by: org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS] at org.apache.hadoop.security.SaslRpcClient.selectSaslClient(SaslRpcClient.java:179) at org.apache.hadoop.security.SaslRpcClient.saslConnect(SaslRpcClient.java:392)

In addition, it would be valuable to have the automatic refresh using the keytab which is provided by the UserGroupInformation.

I'm proposing 2 new configuration settings to allow the definition of the principal and keytab to use for KMS, and if provided that they should be initialized as part of the server startup using the UserGroupInformation methods to support reloading.

Attachments

Activity

People

Assignee:: Steve Vaughan

Reporter:: Steve Vaughan

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 12/Sep/22 01:27

Updated:: 29/Nov/22 15:51