hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryn Sharp (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HDFS-3553) Hftp proxy tokens are broken
Date Mon, 02 Jul 2012 21:09:29 GMT

     [ https://issues.apache.org/jira/browse/HDFS-3553?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Daryn Sharp updated HDFS-3553:
------------------------------

    Attachment: HDFS-3553-1.branch-1.0.patch

Problem is in both the hftp client and the NN.
# NN is trying to perform authorization checks on a proxy token.  Auth checks only apply to
UGI when there is no token, else NN rejects proxy tokens from DNs.
# Real user does not need to be checked for a proxy token.  Task does not know the real user.
 What's relevant is that the user has a token, not who vouched for the token.
# Hftp is trying to negotiate kerberos as the effective user, but the effective user of a
proxy ugi has no TGT.  The real user has the TGT.

Patch has been tested with direct distcp &  oozie + distcp.
                
> Hftp proxy tokens are broken
> ----------------------------
>
>                 Key: HDFS-3553
>                 URL: https://issues.apache.org/jira/browse/HDFS-3553
>             Project: Hadoop HDFS
>          Issue Type: Bug
>    Affects Versions: 1.0.2, 2.0.0-alpha, 3.0.0
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>            Priority: Blocker
>         Attachments: HDFS-3553-1.branch-1.0.patch, HDFS-3553.branch-1.0.patch
>
>
> Proxy tokens are broken for hftp.  The impact is systems using proxy tokens, such as
oozie jobs, cannot use hftp.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message