[
https://issues.apache.org/jira/browse/HADOOP-16122?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16773229#comment-16773229
]
Eric Yang commented on HADOOP-16122:
------------------------------------
[~tobe] Access control must be done on server side to keep system secure.
ProxyUser can map to group of users. As long as administrator manages the
membership of users there is no configuration change required for long term
maintenance of Hadoop.
Static keytab and principal are to ensure that client side JVM does not have
ability to switch user without consent of server side access control. If code
is modified to allow client side JVM to switch user without server side
authorization, the system become no security. This allows any mapreduce task
or yarn container to become any other users.
UesrGroupInformation make use of kinit to login user and ticket cache to
determine the expiration time of current Kerberos session. Ticket cache file
maps to actual unix user who runs the process. The content of ticket cache
will be switched to the most recently authenticated tgt. Multi-keytab login
proposal works against security checks that are placed in the OS (file system
permission, kerberos ticket cache filename format, etc). Even if developer
managed to break every piece of the security check, the end result will equal
to no security. I am sorry to say that this proposal will not be accepted by
Hadoop community.
> Re-login from keytab for multiple UGI will use the same and incorrect
> keytabPrincipal
> -------------------------------------------------------------------------------------
>
> Key: HADOOP-16122
> URL: https://issues.apache.org/jira/browse/HADOOP-16122
> Project: Hadoop Common
> Issue Type: Bug
> Components: auth
> Reporter: chendihao
> Priority: Major
>
> In our scenario, we have a service to allow multiple users to access HDFS
> with their keytab. The users use different Hadoop user and permission to
> access the HDFS files. This service will run with multi-threads and create
> independent UGI object for each user and use its own UGI to create Hadoop
> FileSystem object to read/write HDFS.
>
> Since we have multiple Hadoop users in the same process, we have to use
> `loginUserFromKeytabAndReturnUGI` instead of `loginUserFromKeytab`. The
> `loginUserFromKeytabAndReturnUGI` will not do the re-login automatically.
> Then we have to call `checkTGTAndReloginFromKeytab` or `reloginFromKeytab`
> before the kerberos ticket expires.
>
> The issue is that `reloginFromKeytab` will always re-login with the same and
> incorrect keytab instead of the one from the expected UGI object. Because of
> this issue, we can only support multiple Hadoop users to login with their own
> keytabs at the first time but not re-login when the tickets expire. The logic
> of login and re-login is slightly different especially for updating the
> global static properties and it may be the bug of the implementation of that.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
