[
https://issues.apache.org/jira/browse/IMPALA-12318?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17979254#comment-17979254
]
ASF subversion and git services commented on IMPALA-12318:
----------------------------------------------------------
Commit 4e7c600f1c70b25833d3848ed65d5290035b6f62 in impala's branch
refs/heads/master from halim.kim
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=4e7c600f1 ]
IMPALA-14066 (Part 5): Re-applying IMPALA-12318: Add a flag option for http
spnego dedicated keytab file.
This commit re-applies IMPALA-12318 to the Kudu files after the Kudu
rebase to v1.17.1.
Testing: exhaustive tests have passed.
The original commit message is below:
Add a --spnego_keytab_file flag for seperation of service keytab file
and spnego keytab file. If --webserver_require_spnego flag is true and
--spnego_keytab_file is not empty but specifies a keytab location, web
console gss acceptor registers specified keytab location so that web
server is able to find spnego principal from spnego_keytab_file. if
--spnego_keytab_file is empty even --webserver_require_spnego, web
server will use --keytab_file flag as it is.
Change-Id: I1db5a9f222f74429fead81ec9888bdd5b6e32f48
Reviewed-on: http://gerrit.cloudera.org:8080/20269
Reviewed-by: Impala Public Jenkins <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>
Reviewed-on: http://gerrit.cloudera.org:8080/22971
Reviewed-by: Daniel Becker <[email protected]>
Tested-by: Daniel Becker <[email protected]>
> Use spnego dedicated keytab
> ---------------------------
>
> Key: IMPALA-12318
> URL: https://issues.apache.org/jira/browse/IMPALA-12318
> Project: IMPALA
> Issue Type: Improvement
> Components: Security
> Reporter: halim kim
> Assignee: halim kim
> Priority: Minor
> Fix For: Impala 4.4.0
>
>
> Kerberos is one of the authentication methods that impala provides.
> Kerberized impala uses its keytab that has impala principal for
> authentication.
> kerberos authentication can be applied by setting '--principal' and
> '--keytab_file' flags.
> Further more, It is possible to kerberize impala web console by having
> --webserver_require_spnego as true.
> The problem is impala uses just one keytab file. Therefore, a keytab must
> have both impala and HTTP spnego principal If you want to kerberize web
> console too.
>
> As far as i know, Other service like hadoop, hive and etc provides a option
> to use http spnego dedicated keytab file and there are cases that using
> seperate http spnego keytab and service keytab. So providing a way to use
> another keytab file for http spnego will make users handle kerberos keytab
> file more easily.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
