[jira] [Commented] (HADOOP-15758) Filesystem.get(URI, Configuration, user) API not working with proxy users

[Eric Yang (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-15758?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16617983#comment-16617983
 ] 

Eric Yang commented on HADOOP-15758:
------------------------------------

[~hgadre] {quote}(b) if a ticket cache path is not specified and user name is 
provided, it creates a remote user {quote}

Ticket cache must be verified prior to create a remote user.  Without a 
validate ticket, Java code should not have access to create a remote user.  
Proxy user check must be in place on server side to prevent security hole.

{quote}application provide the user name as well as the ticket cache path. The 
question is should it treat this as a proxy user scenario?{quote}

This seem like valid use case that spark and hive would depend on.

> Filesystem.get(URI, Configuration, user) API not working with proxy users
> -------------------------------------------------------------------------
>
>                 Key: HADOOP-15758
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15758
>             Project: Hadoop Common
>          Issue Type: Bug
>    Affects Versions: 2.6.0, 3.0.0
>            Reporter: Hrishikesh Gadre
>            Assignee: Hrishikesh Gadre
>            Priority: Major
>         Attachments: HADOOP-15758-001.patch
>
>
> A user reported that the Filesystem.get API is not working as expected when 
> they use the 'FileSystem.get(URI, Configuration, user)' method signature - 
> but 'FileSystem.get(URI, Configuration)' works fine. The user is trying to 
> use this method signature to mimic proxy user functionality e.g. provide 
> ticket cache based kerberos credentials (using KRB5CCNAME env variable) for 
> the proxy user and then in the java program pass name of the user to be 
> impersonated. The alternative, to use [proxy users 
> functionality|https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html]
>  in Hadoop works as expected.
>  
> Since FileSystem.get(URI, Configuration, user) is a public API and it does 
> not restrict its usage in this fashion, we should ideally make it work or add 
> docs to discourage its usage to implement proxy users.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org