hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alejandro Abdelnur (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HADOOP-13557) UserGroupInformation created from a Subject incorrectly tries to renew the Keberos ticket
Date Mon, 29 Aug 2016 14:31:20 GMT
Alejandro Abdelnur created HADOOP-13557:
-------------------------------------------

             Summary: UserGroupInformation created from a Subject incorrectly tries to renew
the Keberos ticket
                 Key: HADOOP-13557
                 URL: https://issues.apache.org/jira/browse/HADOOP-13557
             Project: Hadoop Common
          Issue Type: Bug
          Components: security
    Affects Versions: 2.6.4, 2.7.2, 3.0.0-alpha2
            Reporter: Alejandro Abdelnur


The UGI {{checkTGTAndReloginFromKeytab()}} method checks certain conditions and if they are
met it invokes the {{reloginFromKeytab()}}. The {{reloginFromKeytab()}} method then fails
with an {{IOException}} "loginUserFromKeyTab must be done first" because there is no keytab
associated with the UGI.

The {{checkTGTAndReloginFromKeytab()}} method checks if there is a keytab ({{isKeytab}} UGI
instance variable) associated with the UGI, if there is one it triggers a call to {{reloginFromKeytab()}}.
The problem is that the {{keytabFile}} UGI instance variable is NULL, and that triggers the
mentioned {{IOException}}.


The root of the problem seems to be when creating a UGI via the {{UGI.loginUserFromSubject(Subject)}}
method, this method uses the {{UserGroupInformation(Subject)}} constructor, and this constructor
does the following to determine if there is a keytab or not.

{code}
  this.isKeytab = KerberosUtil.hasKerberosKeyTab(subject);
{code}

If the {{Subject}} given had a keytab, then the UGI instance will have the {{isKeytab}} set
to TRUE.

It sets the UGI instance as it would have a keytab because the Subject has a keytab. This
has 2 problems:

First, it does not set the keytab file (and this, having the {{isKeytab}} set to TRUE and
the {{keytabFile}) set to NULL is what triggers the {{IOException}} in the method {{reloginFromKeytab()}}.

Second (and even if the first problem is fixed, this still is a problem), it assumes that
because the subject has a keytab it is up to UGI to to the relogin using the keytab. This
is incorrect if the UGI was created using the {{UGI.loginUserFromSubject(Subject)}} method.
In such case, the owner of the Subject is not the UGI, but the caller, so the caller is responsible
for renewing the Kerberos tickets and the UGI should not try to do so.




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message