diff --git a/cmd/gateway/hdfs/gateway-hdfs.go b/cmd/gateway/hdfs/gateway-hdfs.go index 221dae4ac..5eff3d5d7 100644 --- a/cmd/gateway/hdfs/gateway-hdfs.go +++ b/cmd/gateway/hdfs/gateway-hdfs.go @@ -36,6 +36,7 @@ import ( krb "github.com/jcmturner/gokrb5/v8/client" "github.com/jcmturner/gokrb5/v8/config" "github.com/jcmturner/gokrb5/v8/credentials" + "github.com/jcmturner/gokrb5/v8/keytab" "github.com/minio/cli" "github.com/minio/minio-go/v7/pkg/s3utils" minio "github.com/minio/minio/cmd" @@ -121,6 +122,23 @@ func getKerberosClient() (*krb.Client, error) { return nil, err } + keytabPath := env.Get("KRB5KEYTAB", "") + if keytabPath != "" { + kt, err := keytab.Load(keytabPath) + if err != nil { + return nil, err + } + + username := env.Get("KRB5USERNAME", "") + realm := env.Get("KRB5REALM", "") + if username == "" || realm == "" { + return nil, errors.New("empty KRB5USERNAME or KRB5REALM") + + } + + return krb.NewWithKeytab(username, realm, kt, cfg), nil + } + // Determine the ccache location from the environment, falling back to the default location. ccachePath := env.Get("KRB5CCNAME", fmt.Sprintf("/tmp/krb5cc_%s", u.Uid)) if strings.Contains(ccachePath, ":") { @@ -195,7 +213,7 @@ func (g *HDFS) NewGatewayLayer(creds auth.Credentials) (minio.ObjectLayer, error clnt, err := hdfs.NewClient(opts) if err != nil { - return nil, fmt.Errorf("unable to initialize hdfsClient") + return nil, fmt.Errorf("unable to initialize hdfsClient: %v", err) } if err = clnt.MkdirAll(minio.PathJoin(commonPath, hdfsSeparator, minioMetaTmpBucket), os.FileMode(0755)); err != nil { diff --git a/docs/gateway/hdfs.md b/docs/gateway/hdfs.md index e98e02394..536146436 100644 --- a/docs/gateway/hdfs.md +++ b/docs/gateway/hdfs.md @@ -30,6 +30,44 @@ docker run -p 9000:9000 \ minio/minio gateway hdfs hdfs://namenode:8200 ``` +### Setup Kerberos + +MinIO supports two kerberos authentication methods, keytab and ccache. + +To enable kerberos authentication, you need to set `hadoop.security.authentication=kerberos` in the HDFS config file. + +```xml + + hadoop.security.authentication + kerberos + +``` + +MinIO will load `krb5.conf` from environment variable `KRB5_CONFIG` or default location `/etc/krb5.conf`. +```sh +export KRB5_CONFIG=/path/to/krb5.conf +``` + +If you want MinIO to use ccache for authentication, set environment variable `KRB5CCNAME` to the credential cache file path, +or MinIO will use the default location `/tmp/krb5cc_%{uid}`. +```sh +export KRB5CCNAME=/path/to/krb5cc +``` + +If you prefer to use keytab, with automatically renewal, you need to config three environment variables: + +- `KRB5KEYTAB`: the location of keytab file +- `KRB5USERNAME`: the username +- `KRB5REALM`: the realm + +Please note that the username is not principal name. + +```sh +export KRB5KEYTAB=/path/to/keytab +export KRB5USERNAME=hdfs +export KRB5REALM=REALM.COM +``` + ## Test using MinIO Browser *MinIO gateway* comes with an embedded web based object browser. Point your web browser to http://127.0.0.1:9000 to ensure that your server has started successfully.