hadoop-hdfs-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zheng, Kai" <kai.zh...@intel.com>
Subject RE: UserGroupInformation and login with password
Date Mon, 17 Aug 2015 23:39:44 GMT
Hi John,

Login from keytab is mostly expected for services. For end users, yes they use passwords.
In Kerberos (and Hadoop), it's expected for end users to execute kinit like tool and generate
ticket caches, then some methods like login from ticket cache in UGI will do the left work
and help in your case.

Or do you have to use the password directly in your program? If so, you may add the method
by yourself: 1) let your program prompt to user for password; 2) if your program has gathered
the password in other means, then use some support like below:
In Krb5LoginModule:
*    useFirstPass   if, true, this LoginModule retrieves the
*                   username and password from the module's shared state,
*                   using "javax.security.auth.login.name" and
*                   "javax.security.auth.login.password" as the respective
*                   keys. The retrieved values are used for authentication.
*                   If authentication fails, no attempt for a retry
*                   is made, and the failure is reported back to the
*                   calling application.

Hope this helps.


From: John Lilley [mailto:john.lilley@redpoint.net]
Sent: Monday, August 17, 2015 11:28 PM
To: 'user@hadoop.apache.org'
Subject: UserGroupInformation and login with password


Our software uses UserGroupInformation to authenticate with Kerberos-secure clusters.  We've
found that there are obvious methods for logging in via keytab:

However, there are not obvious analogous methods for password-based login.  We've created
the equivalent to loginUserFromPassword() using reflection to access private members, but
have not yet created the equivalent reloginFromPassword().

It doesn't seem right to be using reflection here, but we cannot find the public API for principal/password
login and relogin.  It seems like this should be something simple.  We do need to support
password, because many of our customers do not allow keytabs.

John Lilley

View raw message