hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Shelukhin (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-13081) add the ability to create multiple UGIs/subjects from one kerberos login
Date Tue, 20 Sep 2016 20:51:20 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-13081?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15507759#comment-15507759
] 

Sergey Shelukhin commented on HADOOP-13081:
-------------------------------------------

[~cnauroth] the concrete use case is where a service runs multiple pieces of work on behalf
of users; it can be set to log in as a particular user using Kerberos, but the users can also
add their own tokens.
We cannot add tokens to a single kerberos-based UGI because they will all mix; we also cannot
log in for every piece of work in most cases, as it would overload the KDC.
Ideally, we should be able to reuse the kerberos login and create a separate UGI with it for
each user, adding the user-specific tokens.

> add the ability to create multiple UGIs/subjects from one kerberos login
> ------------------------------------------------------------------------
>
>                 Key: HADOOP-13081
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13081
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>            Reporter: Sergey Shelukhin
>            Assignee: Sergey Shelukhin
>             Fix For: 2.8.0, 3.0.0-alpha1
>
>         Attachments: HADOOP-13081.01.patch, HADOOP-13081.02.patch, HADOOP-13081.02.patch,
HADOOP-13081.03.patch, HADOOP-13081.03.patch, HADOOP-13081.patch
>
>
> We have a scenario where we log in with kerberos as a certain user for some tasks, but
also want to add tokens to the resulting UGI that would be specific to each task. We don't
want to authenticate with kerberos for every task.
> I am not sure how this can be accomplished with the existing UGI interface. Perhaps some
clone method would be helpful, similar to createProxyUser minus the proxy stuff; or it could
just relogin anew from ticket cache. getUGIFromTicketCache seems like the best option in existing
code, but there doesn't appear to be a consistent way of handling ticket cache location -
the above method, that I only see called in test, is using a config setting that is not used
anywhere else, and the env variable for the location that is used in the main ticket cache
related methods is not set uniformly on all paths - therefore, trying to find the correct
ticket cache and passing it via the config setting to getUGIFromTicketCache seems even hackier
than doing the clone via reflection ;) Moreover, getUGIFromTicketCache ignores the user parameter
on the main path - it logs a warning for multiple principals and then logs in with first available.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message