-
Notifications
You must be signed in to change notification settings - Fork 340
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kerberos support #133
Kerberos support #133
Conversation
Thanks for pulling this through the last mile! About your keytab remark: the I'm not sure exactly about how much the PR branch and our fork have diverged, but for using kerberos it's just about calling a different factory method with the path to the keytab. |
@Shastick can you elaborate on how you use both? You're right that keytab support was in your original branch; I elided it purely to avoid interface complexity, and because |
c2d15ee
to
8a239d3
Compare
Does
I totally get what you're saying, and I think that's a great aspiration. But if the choice is between that or converging on having what's effectively a config file worth of ENV variables (or an actual toml/whatever config file!), I think it's more convenient to just copy over |
In other news - tests are green with none skipped! 🎆 🌭 🥇 🐎 I'm going to wait a few days to get some positive feedback from folks actually using kerberos in production (and settle the keytab interface question) before I merge this. |
@@ -4,6 +4,7 @@ go_import_path: github.com/colinmarc/hdfs | |||
go: 1.x | |||
env: | |||
- PLATFORM=cdh5 | |||
- PLATFORM=cdh5 KERBEROS=true | |||
- PLATFORM=hdp2 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why are we not testing KERBEROS=true
for hdp2
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because it's redundant, and because I didn't factor out the krb setup stuff (although I could probably). I don't actually think it's really necessary to have hdp2
in there right now, but I do want to have hdp3
shortly (I think I need xenial travis support for that?) and cdh6
eventually.
client.go
Outdated
} | ||
|
||
if conf["dfs.namenode.kerberos.principal"] != "" { | ||
options.KerberosServiceName = strings.Split(conf["dfs.namenode.kerberos.principal"], "/")[0] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
dfs.namenode.kerberos.principal
can be hdfs@EXAMPLE.COM
. In that case, options.KerberosServiceName
will be hdfs@EXAMPLE.COM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great point. Do you happen to know what's actually required by the KDC there? Maybe the best option is just to reuse the hadoop _HOST
thing, even though it's gross.
5eee118
to
21b496b
Compare
25d262b
to
393421a
Compare
This adds mutual Kerberos authentication to connections with the namenode. A kerberos client must be constructed manually and passed to hdfs.NewClient to enable support.
Before, we were making an extra getBlockLocations request to get the block location to write to. This worked fine except under kerberos, where the append call had the correct access token for the block. The fix also saves us a round trip.
awesome! when do you expect to cut a release with it? |
when I test kerberos in our hdfs cluster of kerberos ,it is failed the error msg is follow is the error location: my test code :
|
Looking at https://tools.ietf.org/html/rfc4121#section-4.4 it seems that Is your server configured to rely on SASL/Kerberos for authentication only? If it expects anything else from Kerberos (e.g, encryption of tokens/payloads or something else), the client does not support this. I have no other idea so far. |
@mxk1235 The new release is published now. |
I took the binary and set HADOOP_CONF_DIR and HADOOP_HOME on one of our boxes which we use to do hadoop fs -ls / tried with go-hdfs, my flow is -
In fact I do not even need to give hdfs ls root dir - i just type hdfs ls and it fails ... any suggestions? |
This PR contains basic kerberos support, based on the hard work by @Shastick and @staticmukesh in #99.
I'd love feedback from people who actually use kerberos, especially on the API. The command line client uses the MIT kerberos defaults (and env variables) for
krb5.conf
and the credential cache; I have no idea if that's idiomatic. It also doesn't support a keytab file. Please speak up if you have an opinion on how this should work!