hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yicong Cai (Jira)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-16521) Subject has a contradiction between proxy user and real user
Date Tue, 20 Aug 2019 15:59:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-16521?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16911494#comment-16911494
] 

Yicong Cai commented on HADOOP-16521:
-------------------------------------

[~daryn] Thank you very much for your detailed guidance. I neglected the basic principles
of impersonation.

 

So: to solve the problem of proxy user in Hadoop Archive Logs tool, Kerberos information should
be attached to RealUser when Client submits tasks, so that Task can build legitimate ProxyUser
smoothly. 

 

Is my understanding correct?

> Subject has a contradiction between proxy user and real user
> ------------------------------------------------------------
>
>                 Key: HADOOP-16521
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16521
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: Yicong Cai
>            Priority: Major
>
> In the method UserGroupInformation#loginUserFromSubject, if you specify ProxyUser with
HADOOP_PROXY_USER, and create a Proxy UGI instance, the valid Credentials are included in
the User's PrivateCredentials. The UGI information is as follows:
>  
> {code:java}
>  proxyUGI
>  |
>  |--subject 1
>  | |
>  | |--principals
>  | | |
>  | | |--user
>  | | |
>  | |  --real user
>  | |
>  |  --privCredentials(all cred)
>  |
>   --proxy user
> {code}
>  
> If you first login Real User and then use UserGroupInformation#createProxyUser to create
a Proxy UGI, the valid Credentials information is included in RealUser's subject PrivateCredentials.
The UGI information is as follows:
>  
> {code:java}
> proxyUGI
>  |
>  |--subject 1
>  | |
>  | |--principals
>  | | |
>  | | |--user
>  | | |
>  | |  --real user
>  | |    |
>  | |     --subject 2
>  | |       |
>  | |        --privCredentials(all cred)
>  | |
>  |  --privCredentials(empty)
>  |
>   --proxy user{code}
>  
> Use the proxy user in the HDFS FileSystem to perform token-related operations.
> However, in the RPC Client Connection, use the token in RealUser for SaslRpcClient#saslConnect.
> So the main contradiction is, should ProxyUser's real Credentials information be placed
in ProxyUGI's subject, or should it be placed in RealUser's subject?



--
This message was sent by Atlassian Jira
(v8.3.2#803003)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message