1

I have a docker container which has Flask application running. I want to use this API for connection. I am very new to Kerberos and I have very little practical knowledge on it.

My host system will have a Kerberos client installed which can connect to hadoop successfully. Can I somehow use the host system TGT to connect to Hadoop? I have looked at almost all the resources available online and I understand how Kerberos and Hadoop interact. I would just like to know how do I make it work from inside the docker container.

jashnb
  • 11
  • 2
  • **1.** Are you sure that the Docker setup is compatible with Kerberos, e.g. does the container have an "official" and canonical DNS name? **2.** in what kind of credentials cache will you store the _"host system TGT"_ -- the old-style Linux/Java file cache? The newer Linux `keyring`? The Windows LSA? **3.** what kind(s) of cache is(are) supported by your Python lib? – Samson Scharfrichter Oct 17 '18 at 11:29
  • 1. I dont think the docker has a DNS name associated with it but I can set a hostname during the docker run. 2 and 3. Host system will be storing it inside a local file. (not sure if this answers your question). I dont quite understand what do you mean by supported caches. Thanks. – jashnb Oct 17 '18 at 14:35
  • So I came across a hack where I could mount the kerberos configuration files inside the container and then run kinit to make the authentication. Now when I try to curl to the Hadoop webhdfs port, it still gives me HDFSError (Authentication required). On more research I found kerberos requires GSS-Negotiatie as a feature in the curl. I am going to try and figure out how to install it and see if things starts to work. – jashnb Oct 19 '18 at 14:16
  • Basically, `curl` can be compiled with or without Kerberos support -- and the Windows version usually uses the Microsoft customizations (via SSPI lib) that allow Single Sign-On, instead of standard GSSAPI. Check the list of available builds on the web site. – Samson Scharfrichter Oct 19 '18 at 17:30
  • @user2754437 I have the same problem, have you solved it? – wenlong Jan 22 '19 at 17:28
  • @wenlong I applied a workaround to make it work. From my docker container, i ssh'd out to the host machine and I ran the client system present on the host. Basically using the host command line client instead of using the API. I know this is not an ideal way to go around it, but I was on a clock and this was the fastest solution I could come up with. – jashnb Feb 22 '19 at 19:15
  • @jashnb can you please give a bit more detail with some configuration. I am not able to figure out the setup – niths4u Feb 06 '20 at 11:03

0 Answers0