search

elastic / elasticsearch

Free and Open, Distributed, RESTful Search Engine
https://www.elastic.co/products/elasticsearch
Other
68.68k stars 24.38k forks source link

Hadoop HDFS Repository plugin #90048

Open kojec opened 1 year ago

kojec commented 1 year ago

Description

security.principal value 'service/_HOST@REALM' of configuration for "Hadoop HDFS Repository" should allow using environment variable for principal like _SERVICE.

Current state of code is opposite to documentation recommendation.

In some cases, if the same principal is authenticating from multiple clients at once, services may reject authentication for those principals under the assumption that they could be replay attacks. If you are running the plugin in production with multiple nodes you should be using a unique service principal for each node.

This change will allow each node in the cluster to use individual service account for hadoop authentication. This is required in case of no possibility to create mutliple service principals per service account.

Example configuration after change

PUT _snapshot/my_hdfs_repository
{
  "type": "hdfs",
  "settings": {
    "uri": "hdfs://namenode:8020/",
    "path": "/user/elasticsearch/repositories/my_hdfs_repository",
    "security.principal": "_SERVICE/_HOST@REALM"
  }
}

@breskeby Maybe it's quick fix :)

elasticsearchmachine commented 1 year ago

Pinging @elastic/es-distributed (Team:Distributed)

elasticsearchmachine commented 1 year ago

Pinging @elastic/es-data-management (Team:Data Management)