hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryn Sharp (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HDFS-3553) Hftp proxy tokens are broken
Date Mon, 02 Jul 2012 21:09:29 GMT

     [ https://issues.apache.org/jira/browse/HDFS-3553?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Daryn Sharp updated HDFS-3553:

    Attachment: HDFS-3553-1.branch-1.0.patch

Problem is in both the hftp client and the NN.
# NN is trying to perform authorization checks on a proxy token.  Auth checks only apply to
UGI when there is no token, else NN rejects proxy tokens from DNs.
# Real user does not need to be checked for a proxy token.  Task does not know the real user.
 What's relevant is that the user has a token, not who vouched for the token.
# Hftp is trying to negotiate kerberos as the effective user, but the effective user of a
proxy ugi has no TGT.  The real user has the TGT.

Patch has been tested with direct distcp &  oozie + distcp.
> Hftp proxy tokens are broken
> ----------------------------
>                 Key: HDFS-3553
>                 URL: https://issues.apache.org/jira/browse/HDFS-3553
>             Project: Hadoop HDFS
>          Issue Type: Bug
>    Affects Versions: 1.0.2, 2.0.0-alpha, 3.0.0
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>            Priority: Blocker
>         Attachments: HDFS-3553-1.branch-1.0.patch, HDFS-3553.branch-1.0.patch
> Proxy tokens are broken for hftp.  The impact is systems using proxy tokens, such as
oozie jobs, cannot use hftp.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


View raw message