hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Larry McCay (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-9797) Pluggable and compatible UGI change
Date Mon, 28 Oct 2013 20:29:31 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-9797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13807188#comment-13807188
] 

Larry McCay commented on HADOOP-9797:
-------------------------------------

Hello Kai - I've spent some more time reviewing this patch and have found what I believe to
be a bug in the HadoopLoginManager.
In addition, I would like to discuss how we might be able to make progress with a pluggable
authentication mechanism without such a large change to UGI. 

I fear that this change introduces a lot of risk to existing usage by both the Hadoop infrastructure
itself and to unknown clients from end users and third party ecosystem usage.

If we can come up with a less intrusive change, I think that would be easier to move forward.
What would you consider the least amount of change that would make plugging in (or maybe just
adding) token auth possible?

Anyway, the following code snippet seems like it may be wrong to me:

+  /**
+   * Get and return Jaas login configuration, as convenient method for Jaas login
+   */
+  public static JaasLoginConfiguration getJaasLoginConfiguration(String confName) {
+    HadoopLoginConfiguration hlc = createLoginConfiguration(confName);
+    
+    if (hlc != null) {
+      return null;
+    }
+    
+    if (! (hlc instanceof JaasLoginConfiguration) ) {
+      throw new IllegalArgumentException("Not JAAS configuration: " + confName);
+    }
+    JaasLoginConfiguration jlc = (JaasLoginConfiguration) hlc;
+    return (JaasLoginConfiguration) jlc;
+  }
+}

> Pluggable and compatible UGI change
> -----------------------------------
>
>                 Key: HADOOP-9797
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9797
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: security
>            Reporter: Kai Zheng
>            Assignee: Kai Zheng
>              Labels: Rhino
>             Fix For: 3.0.0
>
>         Attachments: HADOOP-9797-v1.patch, HADOOP-9797-v2.patch, HADOOP-9797-v3.patch,
Pluggable and Compatible UGI Change.pdf
>
>
> As already widely discussed current UGI related classes needs to be improved in many
aspects. This is to improve and make UGI so that it can be: 
>  
> * Pluggable, new authentication method with its login module can be dynamically registered
and plugged without having to change the UGI class;
> * Extensible, login modules with their options can be dynamically extended and customized
so that can be reusable elsewhere, like in TokenAuth;
>  
> * No Kerberos relevant, remove any Kerberos relevant functionalities out of it to make
it simple and suitable for other login mechanisms; 
> * Of appropriate abstraction and API, with improved abstraction and API it’s possible
to allow authentication implementations not using JAAS modules;
> * Compatible, should be compatible with previous deployment and authentication methods,
so the existing APIs won’t be removed and some of them are just to be deprecated.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Mime
View raw message