Return-Path: X-Original-To: apmail-hadoop-common-issues-archive@minotaur.apache.org Delivered-To: apmail-hadoop-common-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 4F35C10ACB for ; Wed, 22 Jan 2014 19:53:31 +0000 (UTC) Received: (qmail 45126 invoked by uid 500); 22 Jan 2014 19:53:21 -0000 Delivered-To: apmail-hadoop-common-issues-archive@hadoop.apache.org Received: (qmail 45091 invoked by uid 500); 22 Jan 2014 19:53:20 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: common-issues@hadoop.apache.org Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 45078 invoked by uid 99); 22 Jan 2014 19:53:20 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 22 Jan 2014 19:53:20 +0000 Date: Wed, 22 Jan 2014 19:53:20 +0000 (UTC) From: "Jing Zhao (JIRA)" To: common-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (HADOOP-10215) Cannot create hftp filesystem when using a proxy user ugi and a doAs on a secure cluster MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HADOOP-10215?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jing Zhao updated HADOOP-10215: ------------------------------- Attachment: HADOOP-10215.001.patch Update the patch. The new patch makes sure that the DT is under the proxy user's name. I've tested the patch in my local security setup and the patch works fine. The testing code: {code} public class TestHftpFSWithProxyUser { public static void main(String[] argv) throws Exception { if (argv.length <= 1) { System.err.println("Usage: TestHftpFSWithProxyUser fs-uri proxyUser"); return; } String fsUri = argv[0]; String proxyUserName = argv[1]; UserGroupInformation real = UserGroupInformation.getCurrentUser(); System.out.println("Get real ugi: " + real.getShortUserName()); UserGroupInformation proxy = UserGroupInformation.createProxyUser( proxyUserName, real); System.out.println("Create proxy ugi: " + proxy.getShortUserName()); final Configuration conf = new Configuration(); conf.set(CommonConfigurationKeysPublic.FS_DEFAULT_NAME_KEY, fsUri); FileStatus[] status = proxy.doAs(new PrivilegedExceptionAction() { @Override public FileStatus[] run() throws Exception { FileSystem fs = FileSystem.get(conf); return fs.listStatus(new Path("/")); } }); System.out.println("ls results: " + Arrays.asList(status).toString()); } } {code} > Cannot create hftp filesystem when using a proxy user ugi and a doAs on a secure cluster > ---------------------------------------------------------------------------------------- > > Key: HADOOP-10215 > URL: https://issues.apache.org/jira/browse/HADOOP-10215 > Project: Hadoop Common > Issue Type: Bug > Components: security > Affects Versions: 2.2.0 > Reporter: Arpit Gupta > Assignee: Jing Zhao > Attachments: HADOOP-10215.000.patch, HADOOP-10215.001.patch > > > Noticed this while debugging issues in another application. We saw an error when trying to do a FileSystem.get using an hftp file system on a secure cluster using a proxy user ugi. > This is a small snippet used > {code} > FileSystem testFS = ugi.doAs(new PrivilegedExceptionAction() { > @Override > public FileSystem run() throws IOException { > return FileSystem.get(hadoopConf); > } > }); > {code} > The same code worked for hdfs and webhdfs but not for hftp when the ugi used was UserGroupInformation.createProxyUser -- This message was sent by Atlassian JIRA (v6.1.5#6160)