HDFS support keytab (#11473)

2025-11-07 12:52:58 -05:00 · 2021-02-08 09:29:47 +08:00
parent 74080bf108
commit 152d7cd95b
2 changed files with 57 additions and 1 deletions
--- a/cmd/gateway/hdfs/gateway-hdfs.go
+++ b/cmd/gateway/hdfs/gateway-hdfs.go
@@ -36,6 +36,7 @@ import (
 	krb "github.com/jcmturner/gokrb5/v8/client"
 	"github.com/jcmturner/gokrb5/v8/config"
 	"github.com/jcmturner/gokrb5/v8/credentials"
+	"github.com/jcmturner/gokrb5/v8/keytab"
 	"github.com/minio/cli"
 	"github.com/minio/minio-go/v7/pkg/s3utils"
 	minio "github.com/minio/minio/cmd"
@@ -121,6 +122,23 @@ func getKerberosClient() (*krb.Client, error) {
 		return nil, err
 	}

+	keytabPath := env.Get("KRB5KEYTAB", "")
+	if keytabPath != "" {
+		kt, err := keytab.Load(keytabPath)
+		if err != nil {
+			return nil, err
+		}
+
+		username := env.Get("KRB5USERNAME", "")
+		realm := env.Get("KRB5REALM", "")
+		if username == "" || realm == "" {
+			return nil, errors.New("empty KRB5USERNAME or KRB5REALM")
+
+		}
+
+		return krb.NewWithKeytab(username, realm, kt, cfg), nil
+	}
+
 	// Determine the ccache location from the environment, falling back to the default location.
 	ccachePath := env.Get("KRB5CCNAME", fmt.Sprintf("/tmp/krb5cc_%s", u.Uid))
 	if strings.Contains(ccachePath, ":") {
@@ -195,7 +213,7 @@ func (g *HDFS) NewGatewayLayer(creds auth.Credentials) (minio.ObjectLayer, error

 	clnt, err := hdfs.NewClient(opts)
 	if err != nil {
-		return nil, fmt.Errorf("unable to initialize hdfsClient")
+		return nil, fmt.Errorf("unable to initialize hdfsClient: %v", err)
 	}

 	if err = clnt.MkdirAll(minio.PathJoin(commonPath, hdfsSeparator, minioMetaTmpBucket), os.FileMode(0755)); err != nil {