| Table of Contents |
|---|
...
To support mapping a namespace to "service account user" and principal, we will need to accept and store this custom mapping during namespace create operation. This mapping will be stored in NamespaceConfig which currently stores custom yarn queue names and is used by the NamespaceMeta. We will add an additional field to it, which will define the principal to be used under that namespace.
It is not yet clear how the credentials will be configured by the user; this will be flushed out as implementation continues. One possibility is to require that the user configure a kerberos keytab file located on HDFS:
| Code Block | ||||
|---|---|---|---|---|
| ||||
/**
* Represents the configuration of a namespace. This class needs to be GSON serializable.
*/
public class NamespaceConfig {
...
@SerializedName("user.principal")
private final String userPrincipal;
// location (on HDFS) of the credentials for the above principal
@SerializedName("keytab.file")
private final String keytabFileLocation;
...
} |
...
Hadoop's UserGroupInformation class has the following method:
// Log a user in from a keytab file.
UserGroupInformation loginUserFromKeytabAndReturnUGI(String user, String path)
...