mirror of
https://github.com/minio/minio.git
synced 2025-01-26 06:03:17 -05:00
HDFS support keytab (#11473)
This commit is contained in:
parent
74080bf108
commit
152d7cd95b
@ -36,6 +36,7 @@ import (
|
|||||||
krb "github.com/jcmturner/gokrb5/v8/client"
|
krb "github.com/jcmturner/gokrb5/v8/client"
|
||||||
"github.com/jcmturner/gokrb5/v8/config"
|
"github.com/jcmturner/gokrb5/v8/config"
|
||||||
"github.com/jcmturner/gokrb5/v8/credentials"
|
"github.com/jcmturner/gokrb5/v8/credentials"
|
||||||
|
"github.com/jcmturner/gokrb5/v8/keytab"
|
||||||
"github.com/minio/cli"
|
"github.com/minio/cli"
|
||||||
"github.com/minio/minio-go/v7/pkg/s3utils"
|
"github.com/minio/minio-go/v7/pkg/s3utils"
|
||||||
minio "github.com/minio/minio/cmd"
|
minio "github.com/minio/minio/cmd"
|
||||||
@ -121,6 +122,23 @@ func getKerberosClient() (*krb.Client, error) {
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
keytabPath := env.Get("KRB5KEYTAB", "")
|
||||||
|
if keytabPath != "" {
|
||||||
|
kt, err := keytab.Load(keytabPath)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
username := env.Get("KRB5USERNAME", "")
|
||||||
|
realm := env.Get("KRB5REALM", "")
|
||||||
|
if username == "" || realm == "" {
|
||||||
|
return nil, errors.New("empty KRB5USERNAME or KRB5REALM")
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
return krb.NewWithKeytab(username, realm, kt, cfg), nil
|
||||||
|
}
|
||||||
|
|
||||||
// Determine the ccache location from the environment, falling back to the default location.
|
// Determine the ccache location from the environment, falling back to the default location.
|
||||||
ccachePath := env.Get("KRB5CCNAME", fmt.Sprintf("/tmp/krb5cc_%s", u.Uid))
|
ccachePath := env.Get("KRB5CCNAME", fmt.Sprintf("/tmp/krb5cc_%s", u.Uid))
|
||||||
if strings.Contains(ccachePath, ":") {
|
if strings.Contains(ccachePath, ":") {
|
||||||
@ -195,7 +213,7 @@ func (g *HDFS) NewGatewayLayer(creds auth.Credentials) (minio.ObjectLayer, error
|
|||||||
|
|
||||||
clnt, err := hdfs.NewClient(opts)
|
clnt, err := hdfs.NewClient(opts)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("unable to initialize hdfsClient")
|
return nil, fmt.Errorf("unable to initialize hdfsClient: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
if err = clnt.MkdirAll(minio.PathJoin(commonPath, hdfsSeparator, minioMetaTmpBucket), os.FileMode(0755)); err != nil {
|
if err = clnt.MkdirAll(minio.PathJoin(commonPath, hdfsSeparator, minioMetaTmpBucket), os.FileMode(0755)); err != nil {
|
||||||
|
@ -30,6 +30,44 @@ docker run -p 9000:9000 \
|
|||||||
minio/minio gateway hdfs hdfs://namenode:8200
|
minio/minio gateway hdfs hdfs://namenode:8200
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Setup Kerberos
|
||||||
|
|
||||||
|
MinIO supports two kerberos authentication methods, keytab and ccache.
|
||||||
|
|
||||||
|
To enable kerberos authentication, you need to set `hadoop.security.authentication=kerberos` in the HDFS config file.
|
||||||
|
|
||||||
|
```xml
|
||||||
|
<property>
|
||||||
|
<name>hadoop.security.authentication</name>
|
||||||
|
<value>kerberos</value>
|
||||||
|
</property>
|
||||||
|
```
|
||||||
|
|
||||||
|
MinIO will load `krb5.conf` from environment variable `KRB5_CONFIG` or default location `/etc/krb5.conf`.
|
||||||
|
```sh
|
||||||
|
export KRB5_CONFIG=/path/to/krb5.conf
|
||||||
|
```
|
||||||
|
|
||||||
|
If you want MinIO to use ccache for authentication, set environment variable `KRB5CCNAME` to the credential cache file path,
|
||||||
|
or MinIO will use the default location `/tmp/krb5cc_%{uid}`.
|
||||||
|
```sh
|
||||||
|
export KRB5CCNAME=/path/to/krb5cc
|
||||||
|
```
|
||||||
|
|
||||||
|
If you prefer to use keytab, with automatically renewal, you need to config three environment variables:
|
||||||
|
|
||||||
|
- `KRB5KEYTAB`: the location of keytab file
|
||||||
|
- `KRB5USERNAME`: the username
|
||||||
|
- `KRB5REALM`: the realm
|
||||||
|
|
||||||
|
Please note that the username is not principal name.
|
||||||
|
|
||||||
|
```sh
|
||||||
|
export KRB5KEYTAB=/path/to/keytab
|
||||||
|
export KRB5USERNAME=hdfs
|
||||||
|
export KRB5REALM=REALM.COM
|
||||||
|
```
|
||||||
|
|
||||||
## Test using MinIO Browser
|
## Test using MinIO Browser
|
||||||
*MinIO gateway* comes with an embedded web based object browser. Point your web browser to http://127.0.0.1:9000 to ensure that your server has started successfully.
|
*MinIO gateway* comes with an embedded web based object browser. Point your web browser to http://127.0.0.1:9000 to ensure that your server has started successfully.
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user