hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Uday Kale (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-12953) New API for libhdfs to get FileSystem object as a proxy user
Date Tue, 22 Mar 2016 19:12:25 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-12953?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Uday Kale updated HADOOP-12953:
-------------------------------
    Description: 
Secure impersonation in HDFS needs users to create proxy users and work with those. In libhdfs,
the hdfsBuilder accepts a userName but calls FileSytem.get() or FileSystem.newInstance() with
the user name to connect as. But, both these interfaces use getBestUGI() to get the UGI for
the given user. For services in Hadoop that authenticate end-users via LDAP, the end users
are not authenticated by Kerberos, so their authentication details wont be in the Kerberos
ticket cache. HADOOP_PROXY_USER is not a thread-safe way to get this either. 

Hence the need for the new API for libhdfs to get the FileSystem object as a proxy user using
the 'secure impersonation' recommendations.

> New API for libhdfs to get FileSystem object as a proxy user
> ------------------------------------------------------------
>
>                 Key: HADOOP-12953
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12953
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: fs
>            Reporter: Uday Kale
>            Assignee: Uday Kale
>
> Secure impersonation in HDFS needs users to create proxy users and work with those. In
libhdfs, the hdfsBuilder accepts a userName but calls FileSytem.get() or FileSystem.newInstance()
with the user name to connect as. But, both these interfaces use getBestUGI() to get the UGI
for the given user. For services in Hadoop that authenticate end-users via LDAP, the end users
are not authenticated by Kerberos, so their authentication details wont be in the Kerberos
ticket cache. HADOOP_PROXY_USER is not a thread-safe way to get this either. 
> Hence the need for the new API for libhdfs to get the FileSystem object as a proxy user
using the 'secure impersonation' recommendations.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message