Reputation: 491
The UserGroupInformation class has a loginUserFromKeytab method that takes the user principal and the name of a keytab file. You do not specify the service principal. I thought that Kerberos would need the service principal. Can someone fill in the blanks that I am missing?
Upvotes: 0
Views: 352
Reputation: 9067
AFAIK the "login" method is only responsible for initial user authentication on client side
krbtgt/REALM@REALM
Then each and every Hadoop API manage their own authorization but on server side
Client:
Service:
Upvotes: 2
Reputation: 8937
In Kerberised cluster there are two types of accounts - simple users and users-services. From technical point of view they are the same and consist of three parts - primary/instance@REALM. But simple users are authenticated by providing principle name and password. It can be configured to use either cluster KDC or can access Active Directory KDC within trusted relations. For users-services kaytabs approach is used. That means that administrator creates keytab file which contains a list of principles valid for it. You can get the principles within keytab by:
klist -kt path_to_keytab
Using loginUserFromKeytab you say want to get Kerberos ticket to your current user to some service using keytab file. As a parameters, you should provide the path to keytab and the name of the service-principle within the keytab. If you succeeded, your current user or executing context owner will get the ticket with all necessary permissions to access the service
Upvotes: 0