Return-Path: Delivered-To: apmail-hadoop-common-issues-archive@minotaur.apache.org Received: (qmail 34474 invoked from network); 29 Dec 2010 20:24:07 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 29 Dec 2010 20:24:07 -0000 Received: (qmail 84819 invoked by uid 500); 29 Dec 2010 20:24:07 -0000 Delivered-To: apmail-hadoop-common-issues-archive@hadoop.apache.org Received: (qmail 84779 invoked by uid 500); 29 Dec 2010 20:24:07 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: common-issues@hadoop.apache.org Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 84768 invoked by uid 99); 29 Dec 2010 20:24:07 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 29 Dec 2010 20:24:07 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.22] (HELO thor.apache.org) (140.211.11.22) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 29 Dec 2010 20:24:06 +0000 Received: from thor (localhost [127.0.0.1]) by thor.apache.org (8.13.8+Sun/8.13.8) with ESMTP id oBTKNjAE018155 for ; Wed, 29 Dec 2010 20:23:46 GMT Message-ID: <25813251.64121293654225947.JavaMail.jira@thor> Date: Wed, 29 Dec 2010 15:23:45 -0500 (EST) From: "Todd Lipcon (JIRA)" To: common-issues@hadoop.apache.org Subject: [jira] Commented: (HADOOP-6946) SecurityUtils' TGT fetching does not fall back to "login" user MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HADOOP-6946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12975899#action_12975899 ] Todd Lipcon commented on HADOOP-6946: ------------------------------------- Can someone familiar with the security code please review this? > SecurityUtils' TGT fetching does not fall back to "login" user > -------------------------------------------------------------- > > Key: HADOOP-6946 > URL: https://issues.apache.org/jira/browse/HADOOP-6946 > Project: Hadoop Common > Issue Type: Bug > Components: security > Affects Versions: 0.22.0 > Reporter: Todd Lipcon > Assignee: Todd Lipcon > Attachments: hadoop-6946-20security.txt, hadoop-6946.txt > > > In SecurityUtil.getTgtFromSubject and SecurityUtil.fetchServiceTicket, the current JAAS Subject is fetched directly from the AccessController, rather than using UserGroupInformation.getCurrentUser().getSubject(). This means that if it is not run in the confines of a doAs() block, it will fail since the current JAAS subject is null, even though SecurityUtil.login(...) may have been called. > In practice, one place this shows up is using the secondary namenode's "-checkpoint force" option in secured 0.20, since it's done inside the main thread with no surrounding doAs(). -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.