hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steve Loughran (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-8572) Have the ability to force the use of the login user
Date Thu, 22 May 2014 08:32:39 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-8572?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14005721#comment-14005721
] 

Steve Loughran commented on HADOOP-8572:
----------------------------------------

I'd rather the complexity in the code than having another config option to turn it off, as
that leads to another config option to play with when trying to get security to work. Once
you start trying to talk to secure clusters or just run code in YARN app masters (as user
"yarn") while impersonating the user submitting the job, you'll discover there's already enough
to worry about. Getting the developers to care about this sooner rather than later is, while
painful, the best way to make sure things run in production

> Have the ability to force the use of the login user 
> ----------------------------------------------------
>
>                 Key: HADOOP-8572
>                 URL: https://issues.apache.org/jira/browse/HADOOP-8572
>             Project: Hadoop Common
>          Issue Type: Improvement
>            Reporter: Guillaume Nodet
>         Attachments: HADOOP-8572.patch
>
>
> In Karaf, most of the code is run under the "karaf" user. When a user ssh into Karaf,
commands will be executed under that user.
> Deploying hadoop inside Karaf requires that the authenticated Subject has the required
hadoop principals set, which forces the reconfiguration of the whole security layer, even
at dev time.
> My patch proposes the introduction of a new configuration property {{hadoop.security.force.login.user}}
which if set to true (it would default to false to keep the current behavior), would force
the use of the login user instead of using the authenticated subject (which is what happen
when there's no authenticated subject at all).  This greatly simplifies the use of hadoop
in such environments where security isn't really needed (at dev time).



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message