hadoop-hdfs-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wei-Chiu Chuang (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HDFS-13520) fuse_dfs to support keytab based login
Date Wed, 02 May 2018 18:15:00 GMT
Wei-Chiu Chuang created HDFS-13520:
--------------------------------------

             Summary: fuse_dfs to support keytab based login
                 Key: HDFS-13520
                 URL: https://issues.apache.org/jira/browse/HDFS-13520
             Project: Hadoop HDFS
          Issue Type: Improvement
    Affects Versions: 2.6.0
         Environment: Hadoop 2.6/3.0, Kerberized, fuse_dfs
            Reporter: Wei-Chiu Chuang


It looks like the current fuse_dfs implementation supports login using current kerberos credential.
If the tgt expires, it fails with the following error:
{noformat}
hdfsBuilderConnect(forceNewInstance=1, nn=hdfs://ns1, port=0, kerbTicketCachePath=/tmp/krb5cc_2000,
userName=systest) error:
LoginException: Unable to obtain Principal Name for authentication org.apache.hadoop.security.KerberosAuthException:
failure to login: for user: systest using ticket cache file: /tmp/krb5cc_2000 javax.security.auth.login.LoginException:
Unable to obtain Principal Name for authentication
at org.apache.hadoop.security.UserGroupInformation.getUGIFromTicketCache(UserGroupInformation.java:807)
at org.apache.hadoop.security.UserGroupInformation.getBestUGI(UserGroupInformation.java:742)
at org.apache.hadoop.fs.FileSystem.newInstance(FileSystem.java:404)
Caused by: javax.security.auth.login.LoginException: Unable to obtain Principal Name for authentication
at com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:841)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:704)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at org.apache.hadoop.security.UserGroupInformation.getUGIFromTicketCache(UserGroupInformation.java:788)
... 2 more

{noformat}
This is reproducible easily in a test cluster with an extremely short ticket life time (e.g.
1 minute)

Note: HDFS-3608 addresses a similar issue, but in this case, since the ticket cache file itself
does not change, fuse couldn't detect & update.

It looks like it should call UserGroupInformation#loginFromKeytab() in the beginning, similar
to how balancer supports keytab based login (HDFS-9804). Thanks [~xiaochen] for the idea.

Or alternatively, have a background process that continuously relogin from keytab.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-dev-help@hadoop.apache.org


Mime
View raw message