[ 
https://issues.apache.org/jira/browse/HADOOP-13805?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Xiao Chen updated HADOOP-13805:
-------------------------------
    Attachment: HADOOP-13805.04.patch

Patch 4 attached.

Tested this by running downstream smokes etc, didn't see any failure. But found 
out there's a existing test {{TestUGIWithMiniKdc}} that needs update.

bq.  The renewal thread should not be started if there is no keytab, there is 
no point to do so because it will not have the credentials (the info in the 
keytab) at renewal time.
[~tucu00] please correct me if I'm wrong, the renewal thread is doing {{kinit 
-R}} so a TGT would be sufficient, and keytab doesn't need to be renewed or 
present for the tgt renewal, right? In any case, I agree with your initial 
proposal of having this done in HADOOP-13807 - feels cleaner and more separated 
:)

> UGI.getCurrentUser() fails if user does not have a keytab associated
> --------------------------------------------------------------------
>
>                 Key: HADOOP-13805
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13805
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.8.0, 2.9.0, 3.0.0-alpha2
>            Reporter: Alejandro Abdelnur
>            Assignee: Xiao Chen
>         Attachments: HADOOP-13805.01.patch, HADOOP-13805.02.patch, 
> HADOOP-13805.03.patch, HADOOP-13805.04.patch
>
>
> HADOOP-13558 intention was to avoid UGI from trying to renew the TGT when the 
> UGI is created from an existing Subject as in that case the keytab is not 
> 'own' by UGI but by the creator of the Subject.
> In HADOOP-13558 we introduced a new private UGI constructor 
> {{UserGroupInformation(Subject subject, final boolean externalKeyTab)}} and 
> we use with TRUE only when doing a {{UGI.loginUserFromSubject()}}.
> The problem is, when we call {{UGI.getCurrentUser()}}, and UGI was created 
> via a Subject (via the {{UGI.loginUserFromSubject()}} method), we call {{new 
> UserGroupInformation(subject)}} which will delegate to 
> {{UserGroupInformation(Subject subject, final boolean externalKeyTab)}}  and 
> that will use externalKeyTab == *FALSE*. 
> Then the UGI returned by {{UGI.getCurrentUser()}} will attempt to login using 
> a non-existing keytab if the TGT expired.
> This problem is experienced in {{KMSClientProvider}} when used by the HDFS 
> filesystem client accessing an an encryption zone.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to