Hello Devs,
I'm Vipin, a long time Apache Hadoop user and I like to tinker around in my
free time. I've been a MIT Kerberos contributor in my past life.
While chasing the Kerberos credential cache usage in Hadoop, I found out
that UGI code[1] makes use of KRB5CCNAME environment variable to find the
credential cache name and defaults to /tmp/krb5cc_$uid when there is no
KRB5CCNAME defined, while completely ignoring the values defined in
/etc/krb5.conf.
As per MIT Kerberos doc[2], the correct credential cache location logic
should be:
****************************
Default ccache name
The default credential cache name is determined by the following, in
descending order of priority:
The KRB5CCNAME environment variable. For example,
KRB5CCNAME=DIR:/mydir/.
The default_ccache_name profile variable in [libdefaults].
The hardcoded default, DEFCCNAME.
****************************
I propose to include support for reading default_ccache_name from
/etc/krb5.conf while deciding the right Kerberos credential cache to use.
I am testing a patch currently but wanted to check what does the community
think before submitting.
Thanks for reading and I'm open to discuss any suggestions.
Regards,
Vipin
[1]
https://github.com/apache/hadoop/blob/ae3a2c3851cbf7f010f7ae5734ed9e2dbac5d50c/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java#L2045
[2]
https://web.mit.edu/kerberos/krb5-1.15/doc/basic/ccache_def.html#default-ccache-name
