[
https://issues.apache.org/jira/browse/HADOOP-13805?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alejandro Abdelnur updated HADOOP-13805:
----------------------------------------
Description:
HADOOP-13558 intention was to avoid UGI from trying to renew the TGT when the
UGI is created from an existing Subject as in that case the keytab is not 'own'
by UGI but by the creator of the Subject.
In HADOOP-13558 we introduced a new private UGI constructor
{{UserGroupInformation(Subject subject, final boolean externalKeyTab)}} and we
use with TRUE only when doing a {{UGI.loginUserFromSubject()}}.
The problem is, when we call {{UGI.getCurrentUser()}}, and UGI was created via
a Subject (via the {{UGI.loginUserFromSubject()}} method), we call {{new
UserGroupInformation(subject)}} which will delegate to
{{UserGroupInformation(Subject subject, final boolean externalKeyTab)}} and
that will use externalKeyTab == *FALSE*.
Then the UGI returned by {{UGI.getCurrentUser()}} will attempt to login using a
non-existing keytab if the TGT expired.
was:
HADOOP-13558 intention was to avoid UGI from trying to renew the TGT when the
UGI is created from an existing Subject as in that case the keytab is not 'own'
by UGI but by the creator of the Subject.
In HADOOP-13558 we introduced a new private UGI constructor
{{UserGroupInformation(Subject subject, final boolean externalKeyTab)}} and we
use with TRUE only when doing a {{UGI.loginUserFromSubject()}}.
The problem is, when we call {{UGI.getCurrentUser()}}, and UGI was created via
a Subject (via the {{UGI.loginUserFromSubject()}} method), we call {{new
UserGroupInformation(subject)}} which will delegate to
{{UserGroupInformation(Subject subject, final boolean externalKeyTab)}} and
that will use externalKeyTab == *TRUE*.
Then the UGI returned by {{UGI.getCurrentUser()}} will attempt to login using a
non-existing keytab if the TGT expired.
> UGI.getCurrentUser() fails if user does not have a keytab associated
> --------------------------------------------------------------------
>
> Key: HADOOP-13805
> URL: https://issues.apache.org/jira/browse/HADOOP-13805
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.8.0, 2.9.0, 3.0.0-alpha2
> Reporter: Alejandro Abdelnur
> Priority: Blocker
>
> HADOOP-13558 intention was to avoid UGI from trying to renew the TGT when the
> UGI is created from an existing Subject as in that case the keytab is not
> 'own' by UGI but by the creator of the Subject.
> In HADOOP-13558 we introduced a new private UGI constructor
> {{UserGroupInformation(Subject subject, final boolean externalKeyTab)}} and
> we use with TRUE only when doing a {{UGI.loginUserFromSubject()}}.
> The problem is, when we call {{UGI.getCurrentUser()}}, and UGI was created
> via a Subject (via the {{UGI.loginUserFromSubject()}} method), we call {{new
> UserGroupInformation(subject)}} which will delegate to
> {{UserGroupInformation(Subject subject, final boolean externalKeyTab)}} and
> that will use externalKeyTab == *FALSE*.
> Then the UGI returned by {{UGI.getCurrentUser()}} will attempt to login using
> a non-existing keytab if the TGT expired.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
