Return-Path: X-Original-To: apmail-hadoop-common-user-archive@www.apache.org Delivered-To: apmail-hadoop-common-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 30F87178B9 for ; Mon, 6 Oct 2014 17:58:24 +0000 (UTC) Received: (qmail 8211 invoked by uid 500); 6 Oct 2014 17:58:19 -0000 Delivered-To: apmail-hadoop-common-user-archive@hadoop.apache.org Received: (qmail 7931 invoked by uid 500); 6 Oct 2014 17:58:19 -0000 Mailing-List: contact user-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@hadoop.apache.org Delivered-To: mailing list user@hadoop.apache.org Received: (qmail 7915 invoked by uid 99); 6 Oct 2014 17:58:19 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 06 Oct 2014 17:58:19 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of lmccay@hortonworks.com designates 209.85.214.174 as permitted sender) Received: from [209.85.214.174] (HELO mail-ob0-f174.google.com) (209.85.214.174) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 06 Oct 2014 17:57:52 +0000 Received: by mail-ob0-f174.google.com with SMTP id wp18so4361866obc.33 for ; Mon, 06 Oct 2014 10:57:51 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=V88eQ3By9m+E6Df86m/GBm1PeuMU1D4L8qWN9Qx/ZV0=; b=Z5OzlSeYIn5dps4vjUvN3SYScFxAwo5jB2B/BXYe9nj3J/GBngYGvcbXQKMbvBi4MV mP2JnWQSaK65cXjrUpEIIMsn3ylafY374eGPaIp+DtPMe94Hi0dCwNsHNfviAML0s5PY SdoUJGANWmW771kIvqRjEwaiW5jZ5ZUqrKw+QIdiKy/NO2UoH1/JHzF3roPumTnrDCj+ ju6oHTjXCJP7c7EmTyI3j+g7hIgUWl62xZTaiOm4nMSz+aVqIAfVHu18g5KGqjnFVXXn 6dANQnGOrtdPkrdvfBbtLfA8gbAJmKPLGnafnLVLGLvF959f4XlLBCNXX9nh3yh1riqZ QFqA== X-Gm-Message-State: ALoCoQmYr01Tr6KACWXeMpX92Jn+F8//CwcvDaiJglqWRKCRghE1s6ehtn02DpnhfFVEs8pFqcUJMU4TXv/xG8Q0hvUIXcvTbNulvx48Ajj0IDnWMibFD2Q= MIME-Version: 1.0 X-Received: by 10.60.56.14 with SMTP id w14mr5262299oep.71.1412618271372; Mon, 06 Oct 2014 10:57:51 -0700 (PDT) Received: by 10.202.14.21 with HTTP; Mon, 6 Oct 2014 10:57:51 -0700 (PDT) In-Reply-To: References: Date: Mon, 6 Oct 2014 13:57:51 -0400 Message-ID: Subject: Re: How to login a user with password to Kerberos Hadoop instead of ticket cache or key tab file ? From: Larry McCay To: user@hadoop.apache.org Content-Type: multipart/alternative; boundary=001a11c20b8a44cd1f0504c4d27a X-Virus-Checked: Checked by ClamAV on apache.org --001a11c20b8a44cd1f0504c4d27a Content-Type: text/plain; charset=UTF-8 You may find this approach interesting. https://issues.apache.org/jira/browse/HADOOP-10342 The idea is that you preauthenticate using JAAS/krb5 or something in your application and then leverage the resulting java Subject to assert the authenticated identity. On Mon, Oct 6, 2014 at 1:51 PM, Xiaohua Chen wrote: > Hi Experts, > > We have a use case which needs to login user into Kerberos hadoop > using the kerberos user's name and password. > > I have searched around and only found that > 1) one can login a user from ticket cache ( this is the default one) or > 2) login a user from this user's keytab file e.g. > UserGroupInformation.loginUserFromKeytabAndReturnUGI("sochen", > "/tmp/sochen.keytab")); > > Can you shed some light how I can login a user using his kerberos > password and get a UserGroupInformation object so I can invoke > doAs(....) to access the HDFS file system ? > > Thanks a lot! > > Sophia > -- CONFIDENTIALITY NOTICE NOTICE: This message is intended for the use of the individual or entity to which it is addressed and may contain information that is confidential, privileged and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any printing, copying, dissemination, distribution, disclosure or forwarding of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and delete it from your system. Thank You. --001a11c20b8a44cd1f0504c4d27a Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
You may find this approach interesting.

The idea is that = you preauthenticate using JAAS/krb5 or something in your application and th= en leverage the resulting java Subject to assert the authenticated identity= .

On M= on, Oct 6, 2014 at 1:51 PM, Xiaohua Chen <xiaohua.chen@gmail.com&= gt; wrote:
Hi Experts,

We have a use case which needs to login user into Kerberos hadoop
using the kerberos user's name and password.

I have searched around and only found that
1) one can login a user=C2=A0 from ticket cache ( this is the default one)= =C2=A0 or
2) login a user from this user's keytab file e.g.
=C2=A0UserGroupInformation.loginUserFromKeytabAndReturnUGI("sochen&quo= t;,
"/tmp/sochen.keytab"));

Can you shed some light how I can login a user using his kerberos
password and get a UserGroupInformation object so I can invoke
doAs(....) to access the HDFS file system ?

Thanks a lot!

Sophia


CONFIDENTIALITY NOTICE
NOTICE: This message is = intended for the use of the individual or entity to which it is addressed a= nd may contain information that is confidential, privileged and exempt from= disclosure under applicable law. If the reader of this message is not the = intended recipient, you are hereby notified that any printing, copying, dis= semination, distribution, disclosure or forwarding of this communication is= strictly prohibited. If you have received this communication in error, ple= ase contact the sender immediately and delete it from your system. Thank Yo= u. --001a11c20b8a44cd1f0504c4d27a--