Accessing Object Storage Using UPST

To access object storage using UPST, ensure the Kerberos user used to authenticate to the HDFS connector has corresponding user mapped in the integrated identity domain. For example, for Kerberos principal hdfs-user1@BDSCLOUDSERVICE.ORACLE.COM, the HDFS connector must a user name hdfs-user1 user. To test connection to object storage, run the following command:

kinit <user_name>@<kdc_realm_name>

export HADOOP_OPTS="-DBDS_OSS_CLIENT_REGION=<region>"

hdfs dfs -ls oci://<bucket-name>@<bucket-namespace-name>/

User can list bucket content if proper permission is setup for the OCI user.

HDFS Connector Internal Mode

HDFS connector can be used with a default principal by setting the fs.oci.client.kinit.internal.mode = true option in HDFS Advanced core-site config through Ambari.

If internal mode is set to true, provide value for the following configuration parameters:

• fs.oci.client.upst.userPrincipal: Default user principal to use with HDFS connector
• fs.oci.client.keytab.path: Keytab path for default user principal.

For a complete list of configurable parameters, see https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/hdfsconnector.htm#hdfsconnector_topic-Using_Kerberos_Authentication. When integrating with UPST, most of the parameters are set automatically.