Ability to update keytab location of namespace
Description
Currently, when a namespace is created, impersonation settings can be configured - a principal and keytab path.
However, these settings are not mutable.
This JIRA is to allow modifying the keytab path after the namespace creation, via the namespace update APIs. The principal will need to remain mutable, because the principal is cached and all of the namespace entities are also owned by the original principal.
Release Notes
Added the ability to update the keytab URI for namespace's impersonation configuration.
Activity
We should be able to modify DefaultNamespaceAdmin to allow updating the keytabURI field.
We should continue disallowing modifying the other fields in the namespace config, such as principal, hbaseNamespace, etc.
Hi Ali,
Everything else can stay read only, we are only looking to be able to change the keytab file location...
This needs to be changed according to a standard way of specifying keytab files in CDAP. After the namespace impersonation while doing app impersonation we came with the standard way that a user will specify a keytab directory in cdap-site.xml and an expression to generate keytab file name by substitution of the principal name.
We already have a lot of convoluted code to support the lookup of principal/keytab from namespace store which looks into app.meta. The impersonation principal should be stored in the owner store and keytab should be available in the configured directory. If a user wishes to store it at some other place the can always so it and have a symlink in the keytab dir and keep changing it as and when needed. This eliminates the need for storing keytab location in cdap for namespace and standardize how we find keytab files. With this change, there is no need to make the keytab location inside cdap mutable or even store it in the first place.
Resolved by https://github.com/caskdata/cdap/pull/9701
Assignee
Reporter
Docs Impact
UX Impact
Components
Fix versions
Priority
