hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wei-Chiu Chuang (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (HADOOP-9567) Provide auto-renewal for keytab based logins
Date Fri, 28 Sep 2018 12:44:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-9567?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16631782#comment-16631782
] 

Wei-Chiu Chuang edited comment on HADOOP-9567 at 9/28/18 12:43 PM:
-------------------------------------------------------------------

Thanks [~ghelmling] and [~hgadre] for the patch.

I've been reviewing the latest patch (rev 003). Functionality-wise, for the most part it seems
to do what is expected, and that's great. UGI had been giving some headaches in the past,
so I'd like to take the time to think in terms of various scenarios.

 

What should be expected if a user calls UGI#loginUserFromKeytab() multiple times? From the
code it looks like only the first login user will be renewed. If the process calls loginUserFromKeytab()
the second time, the user doesn't get renewed.

 

What if UGI#getLogin() is called (assuming the user already performed kinit, and getLogin()
will login with tgt), followed by UGI#loginUserFromKeytab()? It seems the latter doesn't
get renewed.

 

Supportability: it would be really helpful if there is a way to tell if the user will renew
keytab automatically, or if it will renew tgt automatically.


was (Author: jojochuang):
Thanks [~ghelmling] and [~hgadre] for the patch.

I've been reviewing the latest patch (rev 003). Functionality-wise, for the most part it seems
to do what is expected. But UGI had been giving some headaches in the past, so I'd like to
take the time to think in terms of various scenarios.

 

What should be expected if a user calls UGI#loginUserFromKeytab() multiple times? From the
code it looks like only the first login user will be renewed. If the process calls loginUserFromKeytab()
the second time, the user doesn't get renewed.

 

What if UGI#getLogin() is called (assuming the user already performed kinit, and getLogin()
will login with tgt), followed by UGI#loginUserFromKeytab()? It seems the latter doesn't
get renewed.

 

Supportability: it would be really helpful if there is a way to tell if the user will renew
keytab automatically, or if it will renew tgt automatically.

> Provide auto-renewal for keytab based logins
> --------------------------------------------
>
>                 Key: HADOOP-9567
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9567
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 2.0.0-alpha
>            Reporter: Harsh J
>            Assignee: Hrishikesh Gadre
>            Priority: Minor
>         Attachments: HADOOP-9567-001.patch, HADOOP-9567-002.patch, HADOOP-9567-003.patch,
HADOOP-9567.branch-2.7.001.patch
>
>
> We do a renewal for cached tickets (obtained via kinit before using a Hadoop application)
but we explicitly seem to avoid doing a renewal for keytab based logins (done from within
the client code) when we could do that as well via a similar thread.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message