stackabletech · sbernauer · Feb 14, 2023 · Feb 14, 2023 · Feb 17, 2023 · Mar 15, 2023
diff --git a/docs/modules/hdfs/pages/usage-guide/security.adoc b/docs/modules/hdfs/pages/usage-guide/security.adoc
@@ -5,6 +5,8 @@ Currently the only supported authentication mechanism is Kerberos, which is disa
 For Kerberos to work a Kerberos KDC is needed, which the users needs to provide.
 The xref:home:secret-operator:secretclass.adoc#backend-kerberoskeytab[secret-operator documentation] states which kind of Kerberos servers are supported and how they can be configured.
 
+IMPORTANT: Kerberos is supported staring from HDFS version 3.3.x
+
 === 1. Prepare Kerberos server
 To configure HDFS to use Kerberos you first need to collect information about your Kerberos server, e.g. hostname and port.
 Additionally you need a service-user, which the secret-operator uses to create create principals for the HDFS services.
@@ -43,7 +45,7 @@ The important part is
 > Security is on.
 
 You can also shell into the namenode and try to access the file system:
-`kubectl exec -it hdfs-namenode-default-0 -c namenode -- bash -c 'bin/hdfs dfs -ls /'`
+`kubectl exec -it hdfs-namenode-default-0 -c namenode -- bash -c 'kdestroy && bin/hdfs dfs -ls /'`
 
 You should get the error message `org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS]`.
 

diff --git a/rust/crd/src/constants.rs b/rust/crd/src/constants.rs
@@ -12,6 +12,7 @@ pub const LABEL_STS_POD_NAME: &str = "statefulset.kubernetes.io/pod-name";
 
 pub const HDFS_SITE_XML: &str = "hdfs-site.xml";
 pub const CORE_SITE_XML: &str = "core-site.xml";
+pub const HADOOP_POLICY_XML: &str = "hadoop-policy.xml";
 pub const SSL_SERVER_XML: &str = "ssl-server.xml";
 pub const SSL_CLIENT_XML: &str = "ssl-client.xml";
 pub const LOG4J_PROPERTIES: &str = "log4j.properties";
@@ -55,7 +56,6 @@ pub const DFS_HA_NAMENODES: &str = "dfs.ha.namenodes";
 // core-site.xml
 pub const FS_DEFAULT_FS: &str = "fs.defaultFS";
 pub const HA_ZOOKEEPER_QUORUM: &str = "ha.zookeeper.quorum";
-pub const HADOOP_SECURITY_AUTHENTICATION: &str = "hadoop.security.authentication";
 
 pub const STACKABLE_ROOT_DATA_DIR: &str = "/stackable/data";
 pub const NAMENODE_ROOT_DATA_DIR: &str = "/stackable/data/namenode";

diff --git a/rust/crd/src/lib.rs b/rust/crd/src/lib.rs
@@ -573,6 +573,7 @@ impl HdfsCluster {
         let pnk = vec![
             PropertyNameKind::File(HDFS_SITE_XML.to_string()),
             PropertyNameKind::File(CORE_SITE_XML.to_string()),
+            PropertyNameKind::File(HADOOP_POLICY_XML.to_string()),
             PropertyNameKind::File(SSL_SERVER_XML.to_string()),
             PropertyNameKind::File(SSL_CLIENT_XML.to_string()),
             PropertyNameKind::Env,
@@ -619,12 +620,7 @@ impl HdfsCluster {
     }
 
     pub fn has_kerberos_enabled(&self) -> bool {
-        self.spec
-            .cluster_config
-            .authentication
-            .as_ref()
-            .map(|auth| &auth.kerberos)
-            .is_some()
+        self.kerberos_config().is_some()
     }
 
     pub fn kerberos_config(&self) -> Option<&KerberosConfig> {

diff --git a/rust/crd/src/security.rs b/rust/crd/src/security.rs
@@ -5,13 +5,13 @@ use stackable_operator::schemars::{self, JsonSchema};
 #[serde(rename_all = "camelCase")]
 pub struct AuthenticationConfig {
     /// Name of the SecretClass providing the tls certificates for the WebUIs.
-    #[serde(default = "default_kerberos_tls_secret_class")]
+    #[serde(default = "default_tls_secret_class")]
     pub tls_secret_class: String,
     /// Kerberos configuration
     pub kerberos: KerberosConfig,
 }
 
-fn default_kerberos_tls_secret_class() -> String {
+fn default_tls_secret_class() -> String {
     "tls".to_string()
 }
 

diff --git a/rust/operator/src/config.rs b/rust/operator/src/config.rs
@@ -24,8 +24,8 @@ impl HdfsSiteConfigBuilder {
         }
     }
 
-    pub fn add(&mut self, property: &str, value: &str) -> &mut Self {
-        self.config.insert(property.to_string(), value.to_string());
+    pub fn add(&mut self, property: impl Into<String>, value: impl Into<String>) -> &mut Self {
+        self.config.insert(property.into(), value.into());
         self
     }
 
@@ -206,8 +206,8 @@ impl CoreSiteConfigBuilder {
         }
     }
 
-    pub fn add(&mut self, property: &str, value: &str) -> &mut Self {
-        self.config.insert(property.to_string(), value.to_string());
+    pub fn add(&mut self, property: impl Into<String>, value: impl Into<String>) -> &mut Self {
+        self.config.insert(property.into(), value.into());
         self
     }