hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "john lilley (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HADOOP-12333) UserGroupInformation method to log in and relogin with password
Date Mon, 17 Aug 2015 20:40:45 GMT
john lilley created HADOOP-12333:
------------------------------------

             Summary: UserGroupInformation method to log in and relogin with password
                 Key: HADOOP-12333
                 URL: https://issues.apache.org/jira/browse/HADOOP-12333
             Project: Hadoop Common
          Issue Type: Improvement
          Components: security
    Affects Versions: 2.6.0
         Environment: all
            Reporter: john lilley


UserGroupInformation lacks a simple method to login using a password, and also makes an important
method private.  While many people seem to believe that kinit should be used for passwords,
it is unworkable in many cases (such as when software is running as a service).

Currently to workaround we must do all of this:
    // create a dynamic configuration for the LoginContext
    Map<String,String> krbOptions = new HashMap<String,String>();
    krbOptions.put("doNotPrompt", "false");
    krbOptions.put("useTicketCache", "false");
    krbOptions.put("useKeyTab", "false");
    krbOptions.put("renewTGT", "false");
    AppConfigurationEntry ace = new AppConfigurationEntry(
        KerberosUtil.getKrb5LoginModuleName(), LoginModuleControlFlag.REQUIRED,
        krbOptions);
    DynamicConfiguration dynConf = new DynamicConfiguration(
        new AppConfigurationEntry[] {ace});
    // create LoginContext with login callback handler
    LoginContext loginContext = newLoginContext(USER_PASSWORD_LOGIN_KERBEROS_CONFIG_NAME,

      null, new LoginHandler(userPrincipal, password), dynConf);
    loginContext.login();
    // get Subject and Principal for logged in user
    Subject loginSubject = loginContext.getSubject();
    Set<Principal> loginPrincipals = loginSubject.getPrincipals();
    if (loginPrincipals.isEmpty()) {
      throw new LoginException("No login principals in loginSubject: " + loginSubject);
    }
    String username = loginPrincipals.iterator().next().getName();
    Principal ugiUser = newUser(username, AuthenticationMethod.KERBEROS, loginContext);
    // update Hadoop security details
    loginSubject.getPrincipals().add(ugiUser);
    UserGroupInformation loginUser = newUserGroupInformation(loginSubject);
    UserGroupInformation.setLoginUser(loginUser);
    setUGILogin(loginUser, loginContext); // do loginUser.setLogin(loginContext)
    loginUser.setAuthenticationMethod(AuthenticationMethod.KERBEROS);

Note the method setUGILogin() uses reflection to overcome private method that we need:
private static void setUGILogin(UserGroupInformation loginUser, LoginContext loginContext)

    	      throws SecurityException, NoSuchMethodException, IllegalArgumentException, 
    	      IllegalAccessException, InvocationTargetException 
  {
    Class<UserGroupInformation> cls = UserGroupInformation.class;
    Method mtd = cls.getDeclaredMethod("setLogin", LoginContext.class);
    mtd.setAccessible(true);
    mtd.invoke(loginUser, loginContext);
  }
  
Finally there is no method reloginFromPassword().  While we can use reflection to access the
private methods needed for this, it should simply be supported.  

PS: I really hope I've just missed something obvious and you can just call me an idiot ;-)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message