Return-Path: X-Original-To: apmail-hadoop-hdfs-issues-archive@minotaur.apache.org Delivered-To: apmail-hadoop-hdfs-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 033A69F82 for ; Mon, 2 Jul 2012 21:09:31 +0000 (UTC) Received: (qmail 94510 invoked by uid 500); 2 Jul 2012 21:09:30 -0000 Delivered-To: apmail-hadoop-hdfs-issues-archive@hadoop.apache.org Received: (qmail 94483 invoked by uid 500); 2 Jul 2012 21:09:30 -0000 Mailing-List: contact hdfs-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: hdfs-issues@hadoop.apache.org Delivered-To: mailing list hdfs-issues@hadoop.apache.org Received: (qmail 94474 invoked by uid 99); 2 Jul 2012 21:09:30 -0000 Received: from issues-vm.apache.org (HELO issues-vm) (140.211.11.160) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 02 Jul 2012 21:09:30 +0000 Received: from isssues-vm.apache.org (localhost [127.0.0.1]) by issues-vm (Postfix) with ESMTP id A267614281B for ; Mon, 2 Jul 2012 21:09:29 +0000 (UTC) Date: Mon, 2 Jul 2012 21:09:29 +0000 (UTC) From: "Daryn Sharp (JIRA)" To: hdfs-issues@hadoop.apache.org Message-ID: <1052352107.289.1341263369668.JavaMail.jiratomcat@issues-vm> In-Reply-To: <72213592.38824.1340286282734.JavaMail.jiratomcat@issues-vm> Subject: [jira] [Updated] (HDFS-3553) Hftp proxy tokens are broken MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HDFS-3553?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daryn Sharp updated HDFS-3553: ------------------------------ Attachment: HDFS-3553-1.branch-1.0.patch Problem is in both the hftp client and the NN. # NN is trying to perform authorization checks on a proxy token. Auth checks only apply to UGI when there is no token, else NN rejects proxy tokens from DNs. # Real user does not need to be checked for a proxy token. Task does not know the real user. What's relevant is that the user has a token, not who vouched for the token. # Hftp is trying to negotiate kerberos as the effective user, but the effective user of a proxy ugi has no TGT. The real user has the TGT. Patch has been tested with direct distcp & oozie + distcp. > Hftp proxy tokens are broken > ---------------------------- > > Key: HDFS-3553 > URL: https://issues.apache.org/jira/browse/HDFS-3553 > Project: Hadoop HDFS > Issue Type: Bug > Affects Versions: 1.0.2, 2.0.0-alpha, 3.0.0 > Reporter: Daryn Sharp > Assignee: Daryn Sharp > Priority: Blocker > Attachments: HDFS-3553-1.branch-1.0.patch, HDFS-3553.branch-1.0.patch > > > Proxy tokens are broken for hftp. The impact is systems using proxy tokens, such as oozie jobs, cannot use hftp. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira