hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryn Sharp (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-15758) Filesystem.get(URI, Configuration, user) API not working with proxy users
Date Wed, 26 Sep 2018 16:35:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-15758?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16629025#comment-16629025
] 

Daryn Sharp commented on HADOOP-15758:
--------------------------------------

{quote}Now as I see it, HDFS-3568 introduced an additional possibility - application provide
the user name as well as the ticket cache path. The question is should it treat this as a
proxy user scenario? If this scenario is not valid, then we probably need to add documentation
to discourage its use or even throw an error?
{quote}
This api absolutely must not create a proxy user. The api is "I want to be this user from
this ticket cache". Nothing more than nothing less. There's a fundamental misunderstanding
of proxy users I'll attempt to clarify.
{quote}The user is trying to use this method signature to mimic proxy user functionality e.g.
provide ticket cache based kerberos credentials
{quote}
You cannot mimic a proxy user. A proxy user is specific construct. There is no substitute.
A proxy user is a ugi that lacks its own authentication credentials, thus it explicitly encapsulates
a "real" ugi that does contain kerberos credentials. The real ugi's user must be specifically
configured on the target service to allow impersonation of the proxied user.

There is no correlation between a proxy user and a ticket cache. The real ugi can supply ticket
cache or keytab based credentials. All that matters is the real user has credentials.
{quote}The alternative, to use [proxy users functionality|https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html]
in Hadoop works as expected.
{quote}
It's not an alternative, it's the only option if you need impersonation.

Additionally, any impersonating service should never ever be ticket cache based.  Use a keytab.
 Otherwise you may be very surprised with proxy user service morphs into a different user
if/when someone/something does a kinit as a different user.

> Filesystem.get(URI, Configuration, user) API not working with proxy users
> -------------------------------------------------------------------------
>
>                 Key: HADOOP-15758
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15758
>             Project: Hadoop Common
>          Issue Type: Bug
>    Affects Versions: 2.6.0, 3.0.0
>            Reporter: Hrishikesh Gadre
>            Assignee: Hrishikesh Gadre
>            Priority: Major
>         Attachments: HADOOP-15758-001.patch
>
>
> A user reported that the Filesystem.get API is not working as expected when they use
the 'FileSystem.get(URI, Configuration, user)' method signature - but 'FileSystem.get(URI,
Configuration)' works fine. The user is trying to use this method signature to mimic proxy
user functionality e.g. provide ticket cache based kerberos credentials (using KRB5CCNAME
env variable) for the proxy user and then in the java program pass name of the user to be
impersonated. The alternative, to use [proxy users functionality|https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html]
in Hadoop works as expected.
>  
> Since FileSystem.get(URI, Configuration, user) is a public API and it does not restrict
its usage in this fashion, we should ideally make it work or add docs to discourage its usage to
implement proxy users.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message