hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alejandro Abdelnur (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HADOOP-13805) UGI.getCurrentUser() fails if user does not have a keytab associated
Date Thu, 10 Nov 2016 08:52:01 GMT
Alejandro Abdelnur created HADOOP-13805:
-------------------------------------------

             Summary: UGI.getCurrentUser() fails if user does not have a keytab associated
                 Key: HADOOP-13805
                 URL: https://issues.apache.org/jira/browse/HADOOP-13805
             Project: Hadoop Common
          Issue Type: Bug
          Components: security
    Affects Versions: 2.8.0, 2.9.0, 3.0.0-alpha2
            Reporter: Alejandro Abdelnur
            Priority: Blocker


HADOOP-13558 intention was to avoid UGI from trying to renew the TGT when the UGI is created
from an existing Subject as in that case the keytab is not 'own' by UGI but by the creator
of the Subject.

In HADOOP-13558 we introduced a new private UGI constructor {{UserGroupInformation(Subject
subject, final boolean externalKeyTab)}} and we use with TRUE only when doing a {{UGI.loginUserFromSubject()}}.

The problem is, when we call {{UGI.getCurrentUser()}}, and UGI was created via a Subject (via
the {{UGI.loginUserFromSubject()}} method), we call {{new UserGroupInformation(subject)}}
which will delegate to {{UserGroupInformation(Subject subject, final boolean externalKeyTab)}}
 and that will use externalKeyTab == *TRUE*. 

Then the UGI returned by {{UGI.getCurrentUser()}} will attempt to login using a non-existing
keytab if the TGT expired.





--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message