hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Owen O'Malley (JIRA)" <j...@apache.org>
Subject [jira] Updated: (HADOOP-6299) Use JAAS LoginContext for our login
Date Wed, 11 Nov 2009 20:56:39 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-6299?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Owen O'Malley updated HADOOP-6299:
----------------------------------

    Attachment: UserGroupInformation.java

This is a prototype of what I have in mind. In particular:

1. Reimplement UserGroupInformation (UGI) to be based entirely on JAAS.
2. UGI will have a single field that is the JAAS Subject that stores all of the information.
3. UGI will support both Unix and Kerberos authentication. Unix is the equivalent of what
we have now. Kerberos will assume that the user has a TGT in the ticket cache.
4. Servers will be able to login in using a Kerberos keytab and principal name so that they
run as the user.
5. There will be a method to create a remote user based solely on the user name.
6. It will use the Hadoop configuration to determine whether Kerberos or simple authentication
is used. The JAAS configuration is done programatically instead of needing a separate configuration
file in $JAVA_HOME.
7. Move User class into UserGroupInformation.
8. Remove Group class.
9. Remove UnixUserGroupInformation class.

> Use JAAS LoginContext for our login
> -----------------------------------
>
>                 Key: HADOOP-6299
>                 URL: https://issues.apache.org/jira/browse/HADOOP-6299
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>            Reporter: Arun C Murthy
>             Fix For: 0.22.0
>
>         Attachments: UserGroupInformation.java
>
>
> Currently we use a custom login module in UnixUserGroupInformation for acquiring user-credentials
(via config or exec'ing 'whoami'). We should switch to using standard JAAS components such
as LoginContext and possibly implement a custom UnixLoginContext for our current requirements.
In future we can use this for Kerberos etc. 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message