hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "john lilley (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-12333) UserGroupInformation method to log in and relogin with password
Date Wed, 19 Aug 2015 22:45:46 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-12333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14703866#comment-14703866
] 

john lilley commented on HADOOP-12333:
--------------------------------------

Am I just missing something obvious about this?  "clients can relogin to kerberos, get new
tickets/tokens"
As I mentioned before, we can get tickets using login/password via UGI.  This works.  But
I get lost around "how does one re-login and use the new ticket?".  Here's what we observe:
-- We do a login and see the TGT in the UGI
-- After accessing HDFS, we see the TGT and the HDFS ticket in UGI.
-- After user.logout(), both tickets disappear
-- After a new login() a new TGT appears
-- Accessing HDFS fails and no HDFS ticket is added.
We are trying to understand why this process diverges from reloginFromKeytab(), which works
just fine.

> UserGroupInformation method to log in and relogin with password
> ---------------------------------------------------------------
>
>                 Key: HADOOP-12333
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12333
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 2.6.0
>         Environment: all
>            Reporter: john lilley
>
> UserGroupInformation lacks a simple method to login using a password, and also makes
an important method private.  While many people seem to believe that kinit should be used
for passwords, it is unworkable in many cases (such as when software is running as a service).
> Currently to workaround we must do all of this:
>     // create a dynamic configuration for the LoginContext
>     Map<String,String> krbOptions = new HashMap<String,String>();
>     krbOptions.put("doNotPrompt", "false");
>     krbOptions.put("useTicketCache", "false");
>     krbOptions.put("useKeyTab", "false");
>     krbOptions.put("renewTGT", "false");
>     AppConfigurationEntry ace = new AppConfigurationEntry(
>         KerberosUtil.getKrb5LoginModuleName(), LoginModuleControlFlag.REQUIRED,
>         krbOptions);
>     DynamicConfiguration dynConf = new DynamicConfiguration(
>         new AppConfigurationEntry[] {ace});
>     // create LoginContext with login callback handler
>     LoginContext loginContext = newLoginContext(USER_PASSWORD_LOGIN_KERBEROS_CONFIG_NAME,

>       null, new LoginHandler(userPrincipal, password), dynConf);
>     loginContext.login();
>     // get Subject and Principal for logged in user
>     Subject loginSubject = loginContext.getSubject();
>     Set<Principal> loginPrincipals = loginSubject.getPrincipals();
>     if (loginPrincipals.isEmpty()) {
>       throw new LoginException("No login principals in loginSubject: " + loginSubject);
>     }
>     String username = loginPrincipals.iterator().next().getName();
>     Principal ugiUser = newUser(username, AuthenticationMethod.KERBEROS, loginContext);
>     // update Hadoop security details
>     loginSubject.getPrincipals().add(ugiUser);
>     UserGroupInformation loginUser = newUserGroupInformation(loginSubject);
>     UserGroupInformation.setLoginUser(loginUser);
>     setUGILogin(loginUser, loginContext); // do loginUser.setLogin(loginContext)
>     loginUser.setAuthenticationMethod(AuthenticationMethod.KERBEROS);
> Note the method setUGILogin() uses reflection to overcome private method that we need:
> private static void setUGILogin(UserGroupInformation loginUser, LoginContext loginContext)

>     	      throws SecurityException, NoSuchMethodException, IllegalArgumentException,

>     	      IllegalAccessException, InvocationTargetException 
>   {
>     Class<UserGroupInformation> cls = UserGroupInformation.class;
>     Method mtd = cls.getDeclaredMethod("setLogin", LoginContext.class);
>     mtd.setAccessible(true);
>     mtd.invoke(loginUser, loginContext);
>   }
>   
> Finally there is no method reloginFromPassword().  While we can use reflection to access
the private methods needed for this, it should simply be supported.  
> PS: I really hope I've just missed something obvious and you can just call me an idiot
;-)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message