-
Notifications
You must be signed in to change notification settings - Fork 340
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This adds mutual Kerberos authentication using a SASL handshake with the namenode. A kerberos client must be constructed manually and passed to hdfs.NewClient to enable support; the command-line client is currently only configurable with a ccache file and hadoop.security.authentication set in the hadoop configuration.
- Loading branch information
Showing
129 changed files
with
15,010 additions
and
77 deletions.
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
package main | ||
|
||
import ( | ||
"fmt" | ||
"os" | ||
"os/user" | ||
"strings" | ||
|
||
krb "gopkg.in/jcmturner/gokrb5.v5/client" | ||
"gopkg.in/jcmturner/gokrb5.v5/config" | ||
"gopkg.in/jcmturner/gokrb5.v5/credentials" | ||
) | ||
|
||
// TODO: Write a kerberos_windows.go and move this to kerberos_unix.go. This | ||
// assumes MIT kerberos on unix. | ||
|
||
func getKerberosClient() (krb.Client, error) { | ||
var client krb.Client | ||
|
||
configPath := os.Getenv("KRB5_CONFIG") | ||
if configPath == "" { | ||
configPath = "/etc/krb5/krb5.conf" | ||
} | ||
|
||
cfg, err := config.Load(configPath) | ||
if err != nil { | ||
return client, err | ||
} | ||
|
||
// Determine the ccache location from the environment, falling back to the | ||
// default location. | ||
ccachePath := os.Getenv("KRB5CCNAME") | ||
if strings.Contains(ccachePath, ":") { | ||
if strings.HasPrefix(ccachePath, "FILE:") { | ||
ccachePath = strings.SplitN(ccachePath, ":", 2)[1] | ||
} else { | ||
return client, fmt.Errorf("can't use ccache: %s", ccachePath) | ||
} | ||
} else if ccachePath == "" { | ||
u, err := user.Current() | ||
if err != nil { | ||
return client, nil | ||
} | ||
|
||
ccachePath = fmt.Sprintf("/tmp/krb5cc_%s", u.Uid) | ||
} | ||
|
||
ccache, err := credentials.LoadCCache(ccachePath) | ||
if err != nil { | ||
return client, err | ||
} | ||
|
||
client, err = krb.NewClientFromCCache(ccache) | ||
if err != nil { | ||
return client, err | ||
} | ||
|
||
client.WithConfig(cfg) | ||
return client, nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.