hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aaron T. Myers (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-3568) fuse_dfs: add support for security
Date Sat, 07 Jul 2012 00:53:34 GMT

    [ https://issues.apache.org/jira/browse/HDFS-3568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13408502#comment-13408502
] 

Aaron T. Myers commented on HDFS-3568:
--------------------------------------

The latest patch looks pretty good to me. In addition to examining the code, I also tested
it manually and confirmed that it largely works as expected, save for one thing which I think
we should address in a follow-up JIRA.

I noticed during my testing that if one kinits as some principal "foo" and then does some
operation on fuse_dfs, then kdestroy and kinit as some principal "bar", subsequent operations
done via fuse_dfs will still use cached credentials for "foo". The reason for this is that
fuse_dfs caches Filesystem instances using the UID of the user running the command as the
key into the cache. I think this isn't a big deal, though, since it's pretty uncommon for
a single user to want to use credentials for several different principals on the same box.

Colin, if you agree, would you mind filing a follow-up JIRA for the above issue?

Two small comments with the current patch, +1 once these are addressed:

# In the following code, I think you might also want to assert that loginPrincipals.size()
== 1, and at least log a WARN if it's > 1:
{code}
+      Set<Principal> loginPrincipals = loginSubject.getPrincipals();
+      if (loginPrincipals.isEmpty()) {
+        throw new RuntimeException("No login principals found!");
+      }
+      User ugiUser = new User(loginPrincipals.iterator().next().getName(),
+          AuthenticationMethod.KERBEROS, login);
{code}
# I think we should change the config key "kerberos.ticket.cache.path" to "hadoop.security.kerberos.ticket.cache.path",
to be more inline with the other security configs.
                
> fuse_dfs: add support for security
> ----------------------------------
>
>                 Key: HDFS-3568
>                 URL: https://issues.apache.org/jira/browse/HDFS-3568
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>    Affects Versions: 1.0.0, 2.0.0-alpha
>            Reporter: Colin Patrick McCabe
>            Assignee: Colin Patrick McCabe
>             Fix For: 1.1.0, 2.0.1-alpha
>
>         Attachments: HDFS-3568.001.patch, HDFS-3568.002.patch
>
>
> fuse_dfs should have support for Kerberos authentication.  This would allow FUSE to be
used in a secure cluster.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message