hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aaron T. Myers (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-9317) User cannot specify a kerberos keytab for commands
Date Wed, 20 Feb 2013 19:47:13 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-9317?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13582469#comment-13582469

Aaron T. Myers commented on HADOOP-9317:

Hey Daryn, have you tested this with IBM Java? I don't think it will quite work, since it
could result in both useDefaultCcache and useKeytab being set, which according to [IBM's JGSS
are incompatible when set in the same JAAS config.
> User cannot specify a kerberos keytab for commands
> --------------------------------------------------
>                 Key: HADOOP-9317
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9317
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>            Priority: Critical
>         Attachments: HADOOP-9317.branch-23.patch, HADOOP-9317.branch-23.patch, HADOOP-9317.patch,
HADOOP-9317.patch, HADOOP-9317.patch
> {{UserGroupInformation}} only allows kerberos users to be logged in via the ticket cache
when running hadoop commands.  {{UGI}} allows a keytab to be used, but it's only exposed programatically.
 This forces keytab-based users running hadoop commands to periodically issue a kinit from
the keytab.  A race condition exists during the kinit when the ticket cache is deleted and
re-created.  Hadoop commands will fail when the ticket cache does not momentarily exist.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

View raw message