accumulo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From joshelser <...@git.apache.org>
Subject [GitHub] accumulo pull request #273: ACCUMULO-4665 Use UGI with real Kerberos credent...
Date Mon, 26 Jun 2017 20:38:56 GMT
Github user joshelser commented on a diff in the pull request:

    https://github.com/apache/accumulo/pull/273#discussion_r124114509
  
    --- Diff: core/src/main/java/org/apache/accumulo/core/client/security/tokens/KerberosToken.java
---
    @@ -70,18 +71,12 @@ public KerberosToken(String principal) throws IOException {
        *          Should the current Hadoop user be replaced with this user
        */
       public KerberosToken(String principal, File keytab, boolean replaceCurrentUser) throws
IOException {
    -    requireNonNull(principal, "Principal was null");
    -    requireNonNull(keytab, "Keytab was null");
    +    this.principal = requireNonNull(principal, "Principal was null");
    +    this.keytab = requireNonNull(keytab, "Keytab was null");
         checkArgument(keytab.exists() && keytab.isFile(), "Keytab was not a normal
file");
    -    UserGroupInformation ugi;
         if (replaceCurrentUser) {
           UserGroupInformation.loginUserFromKeytab(principal, keytab.getAbsolutePath());
    -      ugi = UserGroupInformation.getCurrentUser();
    --- End diff --
    
    Essentially, Accumulo's Kerberos support was written to support full principals as "usernames".
Hadoop, however, has rules that define how principals are converted into "short names" and
uses though.
    
    e.g. the Kerberos principal {{accumulo@EXAMPLE.COM}} would be shortened to {{accumulo}}
by the default Hadoop rules (in core-site.xml).
    
    The problem is that Accumulo would treat {{accumulo}} and {{accumulo@EXAMPLE.COM}} differently.
The check above that was removed was to remove this client-side check and let it happen server-side.
    
    The flaw was that when a user has their own Kerberos ticket and talking to Accumulo, this
is likely programmer error. But in the case where I am a server making a request to Accumulo
on behalf of a user, it prevents the server from writing "logical" code (the test case hopefully
makes this clear).


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

Mime
View raw message