oyd
/
minio
6
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

HDFS support keytab (#11473)

Browse Source
master
Sarasa Kisaragi 3 years ago committed by GitHub
parent 74080bf108
commit 152d7cd95b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 57 additions and 1 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 20
      cmd/gateway/hdfs/gateway-hdfs.go
  2. 38
      docs/gateway/hdfs.md

20
cmd/gateway/hdfs/gateway-hdfs.go
Unescape View File

@ -36,6 +36,7 @@ import (
krb "github.com/jcmturner/gokrb5/v8/client"
"github.com/jcmturner/gokrb5/v8/config"
"github.com/jcmturner/gokrb5/v8/credentials"
"github.com/jcmturner/gokrb5/v8/keytab"
"github.com/minio/cli"
"github.com/minio/minio-go/v7/pkg/s3utils"
minio "github.com/minio/minio/cmd"
@ -121,6 +122,23 @@ func getKerberosClient() (*krb.Client, error) {
return nil, err
}
keytabPath := env.Get("KRB5KEYTAB", "")
if keytabPath != "" {
kt, err := keytab.Load(keytabPath)
if err != nil {
return nil, err
}
username := env.Get("KRB5USERNAME", "")
realm := env.Get("KRB5REALM", "")
if username == "" || realm == "" {
return nil, errors.New("empty KRB5USERNAME or KRB5REALM")
}
return krb.NewWithKeytab(username, realm, kt, cfg), nil
}
// Determine the ccache location from the environment, falling back to the default location.
ccachePath := env.Get("KRB5CCNAME", fmt.Sprintf("/tmp/krb5cc_%s", u.Uid))
if strings.Contains(ccachePath, ":") {
@ -195,7 +213,7 @@ func (g *HDFS) NewGatewayLayer(creds auth.Credentials) (minio.ObjectLayer, error
clnt, err := hdfs.NewClient(opts)
if err != nil {
return nil, fmt.Errorf("unable to initialize hdfsClient")
return nil, fmt.Errorf("unable to initialize hdfsClient: %v", err)
}
if err = clnt.MkdirAll(minio.PathJoin(commonPath, hdfsSeparator, minioMetaTmpBucket), os.FileMode(0755)); err != nil {

38
docs/gateway/hdfs.md
Unescape View File

@ -30,6 +30,44 @@ docker run -p 9000:9000 \
minio/minio gateway hdfs hdfs://namenode:8200
```
### Setup Kerberos
MinIO supports two kerberos authentication methods, keytab and ccache.
To enable kerberos authentication, you need to set `hadoop.security.authentication=kerberos` in the HDFS config file.
```xml
<property>
<name>hadoop.security.authentication</name>
<value>kerberos</value>
</property>
```
MinIO will load `krb5.conf` from environment variable `KRB5_CONFIG` or default location `/etc/krb5.conf`.
```sh
export KRB5_CONFIG=/path/to/krb5.conf
```
If you want MinIO to use ccache for authentication, set environment variable `KRB5CCNAME` to the credential cache file path,
or MinIO will use the default location `/tmp/krb5cc_%{uid}`.
```sh
export KRB5CCNAME=/path/to/krb5cc
```
If you prefer to use keytab, with automatically renewal, you need to config three environment variables:
- `KRB5KEYTAB`: the location of keytab file
- `KRB5USERNAME`: the username
- `KRB5REALM`: the realm
Please note that the username is not principal name.
```sh
export KRB5KEYTAB=/path/to/keytab
export KRB5USERNAME=hdfs
export KRB5REALM=REALM.COM
```
## Test using MinIO Browser
*MinIO gateway* comes with an embedded web based object browser. Point your web browser to http://127.0.0.1:9000 to ensure that your server has started successfully.

Write Preview
Loading…
Cancel
Save