elastic / elasticsearch

Free and Open Source, Distributed, RESTful Search Engine
https://www.elastic.co/products/elasticsearch
Other
1.19k stars 24.84k forks source link

Hadoop HDFS Repository plugin #90048

Open kojec opened 2 years ago

kojec commented 2 years ago

Description

security.principal value 'service/_HOST@REALM' of configuration for "Hadoop HDFS Repository" should allow using environment variable for principal like _SERVICE.

Current state of code is opposite to documentation recommendation.

In some cases, if the same principal is authenticating from multiple clients at once, services may reject authentication for those principals under the assumption that they could be replay attacks. If you are running the plugin in production with multiple nodes you should be using a unique service principal for each node.

This change will allow each node in the cluster to use individual service account for hadoop authentication. This is required in case of no possibility to create mutliple service principals per service account.

Example configuration after change

PUT _snapshot/my_hdfs_repository
{
  "type": "hdfs",
  "settings": {
    "uri": "hdfs://namenode:8020/",
    "path": "/user/elasticsearch/repositories/my_hdfs_repository",
    "security.principal": "_SERVICE/_HOST@REALM"
  }
}

@breskeby Maybe it's quick fix :)

elasticsearchmachine commented 2 years ago

Pinging @elastic/es-distributed (Team:Distributed)

elasticsearchmachine commented 2 years ago

Pinging @elastic/es-data-management (Team:Data Management)