hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yongjun Zhang (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-13805) UGI.getCurrentUser() fails if user does not have a keytab associated
Date Fri, 03 Mar 2017 18:08:45 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-13805?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Yongjun Zhang updated HADOOP-13805:
-----------------------------------
    Release Note: 
Due to a remaining issue after HADOOP-13558, an UGI may still try to renew the TGT even though
the UGI is created from an existing Subject. The renewal would fail because of non-existing
keytab. 

Fixing the issue means different behavior which is incompatible, however,  configuration property
"hadoop.treat.subject.external" is introduced to enable the fix (disabled by default). The
behavior is the same as before when the fix is not enabled.


  was:
Due to a remaining issue after HADOOP-13558, an UGI may still try to renew the TGT even though
the UGI is created from an existing Subject. The renewal would fail because of non-existing
keytab. 

Fixing the issue means different behavior which is incompatible, however,  hadoop.treat.subject.external
is introduced to enable the fix (disabled by default). The behavior is the same as before
when the fix is not enabled.



> UGI.getCurrentUser() fails if user does not have a keytab associated
> --------------------------------------------------------------------
>
>                 Key: HADOOP-13805
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13805
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.8.0, 2.9.0, 3.0.0-alpha2
>            Reporter: Alejandro Abdelnur
>            Assignee: Xiao Chen
>             Fix For: 3.0.0-alpha3
>
>         Attachments: HADOOP-13805.006.patch, HADOOP-13805.007.patch, HADOOP-13805.008.patch,
HADOOP-13805.009.patch, HADOOP-13805.010.patch, HADOOP-13805.01.patch, HADOOP-13805.02.patch,
HADOOP-13805.03.patch, HADOOP-13805.04.patch, HADOOP-13805.05.patch
>
>
> HADOOP-13558 intention was to avoid UGI from trying to renew the TGT when the UGI is
created from an existing Subject as in that case the keytab is not 'own' by UGI but by the
creator of the Subject.
> In HADOOP-13558 we introduced a new private UGI constructor {{UserGroupInformation(Subject
subject, final boolean externalKeyTab)}} and we use with TRUE only when doing a {{UGI.loginUserFromSubject()}}.
> The problem is, when we call {{UGI.getCurrentUser()}}, and UGI was created via a Subject
(via the {{UGI.loginUserFromSubject()}} method), we call {{new UserGroupInformation(subject)}}
which will delegate to {{UserGroupInformation(Subject subject, final boolean externalKeyTab)}}
 and that will use externalKeyTab == *FALSE*. 
> Then the UGI returned by {{UGI.getCurrentUser()}} will attempt to login using a non-existing
keytab if the TGT expired.
> This problem is experienced in {{KMSClientProvider}} when used by the HDFS filesystem
client accessing an an encryption zone.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message