Return-Path: <common-issues-return-124556-archive-asf-public=cust-asf.ponee.io@hadoop.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 36D53200BEF
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Wed,  4 Jan 2017 20:22:01 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id 3666F160B44; Wed,  4 Jan 2017 19:22:01 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 7E1AA160B3A
	for <archive-asf-public@cust-asf.ponee.io>; Wed,  4 Jan 2017 20:22:00 +0100 (CET)
Received: (qmail 73801 invoked by uid 500); 4 Jan 2017 19:21:58 -0000
Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:common-issues-help@hadoop.apache.org>
List-Unsubscribe: <mailto:common-issues-unsubscribe@hadoop.apache.org>
List-Post: <mailto:common-issues@hadoop.apache.org>
List-Id: <common-issues.hadoop.apache.org>
Delivered-To: mailing list common-issues@hadoop.apache.org
Received: (qmail 73754 invoked by uid 99); 4 Jan 2017 19:21:58 -0000
Received: from arcas.apache.org (HELO arcas) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 04 Jan 2017 19:21:58 +0000
Received: from arcas.apache.org (localhost [127.0.0.1])
	by arcas (Postfix) with ESMTP id 858B72C2A6A
	for <common-issues@hadoop.apache.org>; Wed,  4 Jan 2017 19:21:58 +0000 (UTC)
Date: Wed, 4 Jan 2017 19:21:58 +0000 (UTC)
From: "Xiao Chen (JIRA)" <jira@apache.org>
To: common-issues@hadoop.apache.org
Message-ID: <JIRA.13019773.1478767874000.641876.1483557718544@Atlassian.JIRA>
In-Reply-To: <JIRA.13019773.1478767874000@Atlassian.JIRA>
References: <JIRA.13019773.1478767874000@Atlassian.JIRA> <JIRA.13019773.1478767874024@arcas>
Subject: [jira] [Updated] (HADOOP-13805) UGI.getCurrentUser() fails if user
 does not have a keytab associated
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Wed, 04 Jan 2017 19:22:01 -0000


     [ https://issues.apache.org/jira/browse/HADOOP-13805?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Xiao Chen updated HADOOP-13805:
-------------------------------
    Attachment: HADOOP-13805.05.patch

Thanks for the comment [~tucu00].

{quote}
kinit -R assumes the TGT can still be renewed, if it reached it max life time it is not. So this will delay the failure until the TGT cannot be renewed anymore; 
{quote}
Looking at the [initial commit|https://github.com/apache/hadoop/commit/1a6ed79ebf6649d4f0828b8c2adff26d0f79832f#diff-8da26f813ae9e87bbf0fb9abb349acc2R445], I think that's what this renewal thread is supposed to do - {{kinit -R}} until the TGT reach its max lifetime. After that, it will fail and seems current code isn't considering it - no {{-kt <keytab>}} is provided to the command.
Verifying this from shell, {{kinit -R -kt <keytab>}} will get a new TGT to keep credentials updated, but feels like we should split that improvement to a new jira.
Let's move this part to HADOOP-13807 if you're comfortable.

Back to this jira, I think the issue can be fixed in another way. Current patch breaks {{TestKMS#testTGTRenewal}}, and the usage there seems reasonable.
So maybe we can fix it this way - the state of whether a login is external shouldn't be a instance variable of the UGI, but a static variable reflecting what loginFromXXX was performed to log the user in. Therefore, it can track the initial login and perform relogins accordingly. This is different than current patch, because UGI itself instantiates new UGI objects in various calls (e.g. {{getCurrentUser}}), and performs {{loginUserFromSubject}} internally (e.g. {{getLoginUser(null)}}). Having a static variable to reflect the static {{loginUserFromXXX}} methods feels cleaner.

Patch has the proposed fix, and didn't have to change any unit test. Appreciate your continued feedback!

> UGI.getCurrentUser() fails if user does not have a keytab associated
> --------------------------------------------------------------------
>
>                 Key: HADOOP-13805
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13805
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.8.0, 2.9.0, 3.0.0-alpha2
>            Reporter: Alejandro Abdelnur
>            Assignee: Xiao Chen
>         Attachments: HADOOP-13805.01.patch, HADOOP-13805.02.patch, HADOOP-13805.03.patch, HADOOP-13805.04.patch, HADOOP-13805.05.patch
>
>
> HADOOP-13558 intention was to avoid UGI from trying to renew the TGT when the UGI is created from an existing Subject as in that case the keytab is not 'own' by UGI but by the creator of the Subject.
> In HADOOP-13558 we introduced a new private UGI constructor {{UserGroupInformation(Subject subject, final boolean externalKeyTab)}} and we use with TRUE only when doing a {{UGI.loginUserFromSubject()}}.
> The problem is, when we call {{UGI.getCurrentUser()}}, and UGI was created via a Subject (via the {{UGI.loginUserFromSubject()}} method), we call {{new UserGroupInformation(subject)}} which will delegate to {{UserGroupInformation(Subject subject, final boolean externalKeyTab)}}  and that will use externalKeyTab == *FALSE*. 
> Then the UGI returned by {{UGI.getCurrentUser()}} will attempt to login using a non-existing keytab if the TGT expired.
> This problem is experienced in {{KMSClientProvider}} when used by the HDFS filesystem client accessing an an encryption zone.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org