Kerberos support
34 views
Skip to first unread message
Sean Zhong
Mar 18, 2014, 11:22:15 AM3/18/14
to storm...@googlegroups.com
I am not sure about this,
Bobby Evans
Mar 18, 2014, 11:45:31 AM3/18/14
to Sean Zhong, storm...@googlegroups.com
We have tested it on secure YARN, but it will not be secure.
—Bobby
--
You received this message because you are subscribed to the Google Groups "storm-yarn" group.
To unsubscribe from this group and stop receiving emails from it, send an email to storm-yarn+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
You received this message because you are subscribed to the Google Groups "storm-yarn" group.
To unsubscribe from this group and stop receiving emails from it, send an email to storm-yarn+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Sean Zhong
Mar 18, 2014, 12:00:55 PM3/18/14
to storm...@googlegroups.com, Sean Zhong
Thanks, buy why "it will not be secure"?
Bobby Evans
Mar 18, 2014, 12:11:20 PM3/18/14
to Sean Zhong, storm...@googlegroups.com
Nimbus and the AM will come up but they will not authenticate the clients that connect to them. Even if you took the security changes we have made to storm, the kerberos thrift SASL server requires that you have a service principal, which will not be
available on YARN. To make it work you would have to write a new SASL plugin that would use Hadoop delegation tokens similar to how MapReduce works, both for the client and the server side. I am also not totally sure how you would make it work with zookeeper,
which does not have delegation tokens. There would need to be some work around that. Once you have that everything except the code we wrote for run as user should be OK.
—Bobby
Sean Zhong
Mar 18, 2014, 12:25:49 PM3/18/14
to Bobby Evans, storm...@googlegroups.com
Thank you for this information. Not quite understand the zookeeper part, but I will check that.
Reply all
Reply to author
Forward
0 new messages