[jira] [Updated] (HADOOP-13805) UGI.getCurrentUser() fails if user does not have a keytab associated

Thu, 17 Nov 2016 19:35:20 -0800 

     [ 
https://issues.apache.org/jira/browse/HADOOP-13805?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Xiao Chen updated HADOOP-13805:
-------------------------------
    Attachment: HADOOP-13805.02.patch

Thanks [~tucu00] for the review. I thought more about this, and feels like we 
should add an orthogonal parameter to control whether to relogin/spawn renew 
thread or not. 

Patch 2 attached, I believe this should take care of both this and HADOOP-13807 
correctly.

> UGI.getCurrentUser() fails if user does not have a keytab associated
> --------------------------------------------------------------------
>
>                 Key: HADOOP-13805
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13805
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.8.0, 2.9.0, 3.0.0-alpha2
>            Reporter: Alejandro Abdelnur
>            Assignee: Xiao Chen
>            Priority: Blocker
>         Attachments: HADOOP-13805.01.patch, HADOOP-13805.02.patch
>
>
> HADOOP-13558 intention was to avoid UGI from trying to renew the TGT when the 
> UGI is created from an existing Subject as in that case the keytab is not 
> 'own' by UGI but by the creator of the Subject.
> In HADOOP-13558 we introduced a new private UGI constructor 
> {{UserGroupInformation(Subject subject, final boolean externalKeyTab)}} and 
> we use with TRUE only when doing a {{UGI.loginUserFromSubject()}}.
> The problem is, when we call {{UGI.getCurrentUser()}}, and UGI was created 
> via a Subject (via the {{UGI.loginUserFromSubject()}} method), we call {{new 
> UserGroupInformation(subject)}} which will delegate to 
> {{UserGroupInformation(Subject subject, final boolean externalKeyTab)}}  and 
> that will use externalKeyTab == *FALSE*. 
> Then the UGI returned by {{UGI.getCurrentUser()}} will attempt to login using 
> a non-existing keytab if the TGT expired.
> This problem is experienced in {{KMSClientProvider}} when used by the HDFS 
> filesystem client accessing an an encryption zone.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to