Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id B22F1200C1E for ; Fri, 17 Feb 2017 18:17:45 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id B0CEE160B46; Fri, 17 Feb 2017 17:17:45 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 05BB4160B57 for ; Fri, 17 Feb 2017 18:17:44 +0100 (CET) Received: (qmail 74274 invoked by uid 500); 17 Feb 2017 17:17:44 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 74263 invoked by uid 99); 17 Feb 2017 17:17:44 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 17 Feb 2017 17:17:44 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 8ED07C0E92 for ; Fri, 17 Feb 2017 17:17:43 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -1.199 X-Spam-Level: X-Spam-Status: No, score=-1.199 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, KAM_LAZY_DOMAIN_SECURITY=1, RP_MATCHES_RCVD=-2.999] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id V7njnb_pT866 for ; Fri, 17 Feb 2017 17:17:43 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id DE94A5FD3B for ; Fri, 17 Feb 2017 17:17:42 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 05258E0410 for ; Fri, 17 Feb 2017 17:17:42 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id B00222411B for ; Fri, 17 Feb 2017 17:17:41 +0000 (UTC) Date: Fri, 17 Feb 2017 17:17:41 +0000 (UTC) From: "Yongjun Zhang (JIRA)" To: common-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HADOOP-13805) UGI.getCurrentUser() fails if user does not have a keytab associated MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Fri, 17 Feb 2017 17:17:45 -0000 [ https://issues.apache.org/jira/browse/HADOOP-13805?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15872142#comment-15872142 ] Yongjun Zhang commented on HADOOP-13805: ---------------------------------------- The test failures are pre-existing and reported as HADOOP-14030. > UGI.getCurrentUser() fails if user does not have a keytab associated > -------------------------------------------------------------------- > > Key: HADOOP-13805 > URL: https://issues.apache.org/jira/browse/HADOOP-13805 > Project: Hadoop Common > Issue Type: Bug > Components: security > Affects Versions: 2.8.0, 2.9.0, 3.0.0-alpha2 > Reporter: Alejandro Abdelnur > Assignee: Xiao Chen > Attachments: HADOOP-13805.006.patch, HADOOP-13805.007.patch, HADOOP-13805.008.patch, HADOOP-13805.009.patch, HADOOP-13805.010.patch, HADOOP-13805.01.patch, HADOOP-13805.02.patch, HADOOP-13805.03.patch, HADOOP-13805.04.patch, HADOOP-13805.05.patch > > > HADOOP-13558 intention was to avoid UGI from trying to renew the TGT when the UGI is created from an existing Subject as in that case the keytab is not 'own' by UGI but by the creator of the Subject. > In HADOOP-13558 we introduced a new private UGI constructor {{UserGroupInformation(Subject subject, final boolean externalKeyTab)}} and we use with TRUE only when doing a {{UGI.loginUserFromSubject()}}. > The problem is, when we call {{UGI.getCurrentUser()}}, and UGI was created via a Subject (via the {{UGI.loginUserFromSubject()}} method), we call {{new UserGroupInformation(subject)}} which will delegate to {{UserGroupInformation(Subject subject, final boolean externalKeyTab)}} and that will use externalKeyTab == *FALSE*. > Then the UGI returned by {{UGI.getCurrentUser()}} will attempt to login using a non-existing keytab if the TGT expired. > This problem is experienced in {{KMSClientProvider}} when used by the HDFS filesystem client accessing an an encryption zone. -- This message was sent by Atlassian JIRA (v6.3.15#6346) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org For additional commands, e-mail: common-issues-help@hadoop.apache.org