I'f you haven't guessed, Kerberos is an eternal support of pain and suffering
Any change must be matched with clarifications the hadoop security docs, and KDiag extended to provide extra information about the source of the cache. One big risk here is over regressions across versions of clients On Mon, Mar 18, 2019 at 11:48 PM Vipin Rathor <v.rat...@gmail.com> wrote: > Hello Devs, > I'm Vipin, a long time Apache Hadoop user and I like to tinker around in my > free time. I've been a MIT Kerberos contributor in my past life. > > While chasing the Kerberos credential cache usage in Hadoop, I found out > that UGI code[1] makes use of KRB5CCNAME environment variable to find the > credential cache name and defaults to /tmp/krb5cc_$uid when there is no > KRB5CCNAME defined, while completely ignoring the values defined in > /etc/krb5.conf. > > As per MIT Kerberos doc[2], the correct credential cache location logic > should be: > **************************** > Default ccache name > The default credential cache name is determined by the following, in > descending order of priority: > The KRB5CCNAME environment variable. For example, > KRB5CCNAME=DIR:/mydir/. > The default_ccache_name profile variable in [libdefaults]. > The hardcoded default, DEFCCNAME. > **************************** > > I propose to include support for reading default_ccache_name from > /etc/krb5.conf while deciding the right Kerberos credential cache to use. > > I am testing a patch currently but wanted to check what does the community > think before submitting. > > Thanks for reading and I'm open to discuss any suggestions. > > Regards, > Vipin > > [1] > > https://github.com/apache/hadoop/blob/ae3a2c3851cbf7f010f7ae5734ed9e2dbac5d50c/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java#L2045 > [2] > > https://web.mit.edu/kerberos/krb5-1.15/doc/basic/ccache_def.html#default-ccache-name >
