Comments (30)
We have a go-hdfs implementation working with Kerberos at https://github.com/Sqooba/hdfs (using a pure go kerberos library)
Haven't done a PR yet as the code probably deserves a few cleanups and that we have not figured out automated testing yet (and we'd be curious to hear any suggestions about that matter)
Development was done against a Kerby KDC which is reasonably easy to setup and a hdfs mini cluster from https://github.com/sakserv/hadoop-mini-clusters/
(We attempted to use a miniKDC from the above repo, but they currently have an issue: sakserv/hadoop-mini-clusters#51)
I'm not sure of the best path to follow for testing:
- run the whole test suite with Kerberos on?
- just add a simple test case with Kerberos turned on, and leave it off otherwise?
- run the tests with Kerberos on and off?
I'm only mildly familiar with travis CI, and enabling/disabling Kerberos might require changing/reloading the Hadoop environment entirely (unless we can tell it to accept both plaintext and SASL auth, have not checked if that is possible yet)
Anyway, in the meantime, we have a few persons using the code daily and it runs smoothly.
Feedback and comments more than welcome.
PS: it works with both keytabs and credential cache
from hdfs.
Hi all, sorry for digging up an old ticket, is there still interest in Kerberos?
from hdfs.
It might be an idea to gate @lomik 's code under a build tag, since it's the right basic approach we're just lacking a go-native GSSAPI library to support it.
from hdfs.
Hi David,
Good question! I don't really know what would be involved in that. I also don't really have a cluster set up to test with.
I'll leave this open for now - I'd love to hear any suggestions!
from hdfs.
Hi Colinmarc
I have a cluster use kerberos auth
I test your hdfs cmd
from hdfs.
@Georce is that somewhere on the public internet for me to test with? Otherwise it'd be kind of hard to develop against =)
from hdfs.
@colinmarc OK, I will provide an all in one CDH5 in kerberos with jenkins CI next week.
But no hdfs put cmd , your project be kind of hard to develop
from hdfs.
That sounds super useful! In the tests, I use hadoop fs -put
to populate the test data: https://github.com/colinmarc/hdfs/blob/master/setup_test_env.sh#L44-L45
from hdfs.
@colinmarc
I send email for you. Is [email protected] ?
from hdfs.
Yup, that's right.
from hdfs.
Has there been any progress on this ticket? Looking for help?
from hdfs.
I never ended up getting an email from @Georce - so I'm still blocked on the availability of a test cluster to develop against. That, and I really have no idea how kerberos works =)
from hdfs.
Well, I've got a cluster at work, so I can try to carve out some time. It is secure, so I'll just mock it for test purposes. I think snakebite supports kerberos now, so I'll check that out and try to touch base in a week.
from hdfs.
Oh amazing, thanks!
from hdfs.
Glancing at the snakebite implementation and paraphrasing heavily...
- If
use_sasl
flag is set true,- Get the kerberos user principal name
- In the RPC headers, send the auth protocol
- Authenticate via sasl
- Business as usual.
from hdfs.
Plot thickens in order to support encryption: spotify/snakebite#185
from hdfs.
@colinmarc What? I send you again. My email is [email protected]
from hdfs.
Huh, weird - I see it now, thank you!
from hdfs.
Authentication/negotiation seems straightforward. Anyone grok the encryption workflow or know of a good working example? Snakebite is still deficient for this.
from hdfs.
Any luck with the authentication part? I've been buried.
from hdfs.
Haven't looked at all, sorry =(. Also pretty buried.
from hdfs.
I'd still love to have this, but don't really have the time, context or environment to add the feature.
from hdfs.
@colinmarc, FYI
I've implemented Kerberos authentification here lomik@bae39b4
But this implementation is not native and requires go-sasl library (cgo wrapper for Cyrus SASL) :(
from hdfs.
@lomik does your implementation support keytabs?
thanks in advance.
from hdfs.
@mxk1235, keytabs are not supported
from hdfs.
@Shastick that's fantastic news! Feel free to open the PR even if it's not ready yet - it'd be good to see what the diff looks like.
For testing, we'd want to do a whole run of the test suite with kerberos on. We already do multiple runs to test different hadoop distributions with a build matrix:
Lines 12 to 14 in 0f30457
And then switch on it in the test setup:
Lines 11 to 18 in 0f30457
What I'd suggest is:
- Change the test setup to use that library you mentioned (for the normal tests). This can even be a separate PR. If that library doesn't work, we can also try using a docker setup, as someone suggested on another issue.
- Add a build for kerberos (it would actually add two builds: one for CDH and one for Hortonworks)
from hdfs.
link to the PR for reference: #99
from hdfs.
Kerbores security is common in Hadoop, without this support,it is very inconvenient to use this lib。
from hdfs.
There is now an internal PR that adds support for Kerberos: #133
If you're running Kerberos in production, please test it out and let me know if it works!
from hdfs.
Fixed in #133. I'll do a version release soon.
from hdfs.
Related Issues (20)
- Skip optimization on internal/block_reader.go can lead to incorrect data read from stream HOT 1
- Files written by this library are unreadable by clickhouse HOT 2
- Is it thread-safe that NamenodeConnection?
- could not find "github.com/colinmarc/hdfs/v2/protocol/hadoop_common" "github.com/colinmarc/hdfs/v2/security"
- support UserGroupInformation
- EC not working properly HOT 1
- Allow setting CreateFlag when creating files
- Namenodes not been filtered by fs.defaultFS
- the dns_canonicalize_hostname value not being respected
- panic: mkdir /demo: read tcp 192.168.10.1:57318->192.168.10.102:9870: wsarecv: An established connection was aborted by the software in your host machine.
- how to do setQuota
- Empty file after CopyToRemote HOT 1
- Readme suggestion: also show memory usage advantage HOT 2
- Why the return of func Read() with a FileReader is not consistent?
- Downloading the encrypted file HOT 2
- Libhdfs.so bindings for hdfs-go? HOT 1
- hadoop3 - write: broken pipe
- An error is reported when reading a file in the HAR package
- Support of hadoop delegation tokens with HADOOP_TOKEN_FILE_LOCATION env
- no available namenodes: SASL handshake: wrong Token ID. Expected 0504, was 607d HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hdfs.