mirror of
https://github.com/minio/minio.git
synced 2024-12-25 06:35:56 -05:00
HDFS support keytab (#11473)
This commit is contained in:
parent
74080bf108
commit
152d7cd95b
@ -36,6 +36,7 @@ import (
|
||||
krb "github.com/jcmturner/gokrb5/v8/client"
|
||||
"github.com/jcmturner/gokrb5/v8/config"
|
||||
"github.com/jcmturner/gokrb5/v8/credentials"
|
||||
"github.com/jcmturner/gokrb5/v8/keytab"
|
||||
"github.com/minio/cli"
|
||||
"github.com/minio/minio-go/v7/pkg/s3utils"
|
||||
minio "github.com/minio/minio/cmd"
|
||||
@ -121,6 +122,23 @@ func getKerberosClient() (*krb.Client, error) {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
keytabPath := env.Get("KRB5KEYTAB", "")
|
||||
if keytabPath != "" {
|
||||
kt, err := keytab.Load(keytabPath)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
username := env.Get("KRB5USERNAME", "")
|
||||
realm := env.Get("KRB5REALM", "")
|
||||
if username == "" || realm == "" {
|
||||
return nil, errors.New("empty KRB5USERNAME or KRB5REALM")
|
||||
|
||||
}
|
||||
|
||||
return krb.NewWithKeytab(username, realm, kt, cfg), nil
|
||||
}
|
||||
|
||||
// Determine the ccache location from the environment, falling back to the default location.
|
||||
ccachePath := env.Get("KRB5CCNAME", fmt.Sprintf("/tmp/krb5cc_%s", u.Uid))
|
||||
if strings.Contains(ccachePath, ":") {
|
||||
@ -195,7 +213,7 @@ func (g *HDFS) NewGatewayLayer(creds auth.Credentials) (minio.ObjectLayer, error
|
||||
|
||||
clnt, err := hdfs.NewClient(opts)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to initialize hdfsClient")
|
||||
return nil, fmt.Errorf("unable to initialize hdfsClient: %v", err)
|
||||
}
|
||||
|
||||
if err = clnt.MkdirAll(minio.PathJoin(commonPath, hdfsSeparator, minioMetaTmpBucket), os.FileMode(0755)); err != nil {
|
||||
|
@ -30,6 +30,44 @@ docker run -p 9000:9000 \
|
||||
minio/minio gateway hdfs hdfs://namenode:8200
|
||||
```
|
||||
|
||||
### Setup Kerberos
|
||||
|
||||
MinIO supports two kerberos authentication methods, keytab and ccache.
|
||||
|
||||
To enable kerberos authentication, you need to set `hadoop.security.authentication=kerberos` in the HDFS config file.
|
||||
|
||||
```xml
|
||||
<property>
|
||||
<name>hadoop.security.authentication</name>
|
||||
<value>kerberos</value>
|
||||
</property>
|
||||
```
|
||||
|
||||
MinIO will load `krb5.conf` from environment variable `KRB5_CONFIG` or default location `/etc/krb5.conf`.
|
||||
```sh
|
||||
export KRB5_CONFIG=/path/to/krb5.conf
|
||||
```
|
||||
|
||||
If you want MinIO to use ccache for authentication, set environment variable `KRB5CCNAME` to the credential cache file path,
|
||||
or MinIO will use the default location `/tmp/krb5cc_%{uid}`.
|
||||
```sh
|
||||
export KRB5CCNAME=/path/to/krb5cc
|
||||
```
|
||||
|
||||
If you prefer to use keytab, with automatically renewal, you need to config three environment variables:
|
||||
|
||||
- `KRB5KEYTAB`: the location of keytab file
|
||||
- `KRB5USERNAME`: the username
|
||||
- `KRB5REALM`: the realm
|
||||
|
||||
Please note that the username is not principal name.
|
||||
|
||||
```sh
|
||||
export KRB5KEYTAB=/path/to/keytab
|
||||
export KRB5USERNAME=hdfs
|
||||
export KRB5REALM=REALM.COM
|
||||
```
|
||||
|
||||
## Test using MinIO Browser
|
||||
*MinIO gateway* comes with an embedded web based object browser. Point your web browser to http://127.0.0.1:9000 to ensure that your server has started successfully.
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user