Thank you Steve for your reply. > I'f you haven't guessed, Kerberos is an eternal support of pain and suffering Agreed. But it hurt us further when our utilities don’t behave in the way they are expected to be.
> Any change must be matched with clarifications the hadoop security docs, and > KDiag extended to provide extra information about the source of the cache. Understood. I’ll keep this in mind. > One big risk here is over regressions across versions of clients Yes, agreed again. We can keep the current behavior intact and introduce this change as a configurable option. I believe more Kerberos admins would like to opt for this as this is how any Kerberos client is expected to work. Suggestions/ comments? Regards, Vipin > On Mar 19, 2019, at 03:27, Steve Loughran <ste...@cloudera.com.invalid> wrote: > > I'f you haven't guessed, Kerberos is an eternal support of pain and > suffering > > Any change must be matched with clarifications the hadoop security docs, > and KDiag extended to provide extra information about the source of the > cache. > > One big risk here is over regressions across versions of clients > > >> On Mon, Mar 18, 2019 at 11:48 PM Vipin Rathor <v.rat...@gmail.com> wrote: >> >> Hello Devs, >> I'm Vipin, a long time Apache Hadoop user and I like to tinker around in my >> free time. I've been a MIT Kerberos contributor in my past life. >> >> While chasing the Kerberos credential cache usage in Hadoop, I found out >> that UGI code[1] makes use of KRB5CCNAME environment variable to find the >> credential cache name and defaults to /tmp/krb5cc_$uid when there is no >> KRB5CCNAME defined, while completely ignoring the values defined in >> /etc/krb5.conf. >> >> As per MIT Kerberos doc[2], the correct credential cache location logic >> should be: >> **************************** >> Default ccache name >> The default credential cache name is determined by the following, in >> descending order of priority: >> The KRB5CCNAME environment variable. For example, >> KRB5CCNAME=DIR:/mydir/. >> The default_ccache_name profile variable in [libdefaults]. >> The hardcoded default, DEFCCNAME. >> **************************** >> >> I propose to include support for reading default_ccache_name from >> /etc/krb5.conf while deciding the right Kerberos credential cache to use. >> >> I am testing a patch currently but wanted to check what does the community >> think before submitting. >> >> Thanks for reading and I'm open to discuss any suggestions. >> >> Regards, >> Vipin >> >> [1] >> >> https://github.com/apache/hadoop/blob/ae3a2c3851cbf7f010f7ae5734ed9e2dbac5d50c/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java#L2045 >> [2] >> >> https://web.mit.edu/kerberos/krb5-1.15/doc/basic/ccache_def.html#default-ccache-name >> --------------------------------------------------------------------- To unsubscribe, e-mail: common-dev-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-dev-h...@hadoop.apache.org
