[
https://issues.apache.org/jira/browse/HADOOP-16122?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16773617#comment-16773617
]
chendihao edited comment on HADOOP-16122 at 2/21/19 2:58 AM:
-------------------------------------------------------------
Thanks [~eyang] for the suggestion. I have to declare that the client side JVM
will not get the keytab in our scenario and all the logic of HDFS operation are
implemented in server side which is different form Oozie.
I agree that using multi-keytab is not to best solution which requires clients
to submit the auth files. But in the real world, we are not allowed to edit the
core-site.xml to add the ProxyUser even though it is the one-off operation.
Back to this issue, now Hadoop provides `loginUserFromKeytabAndReturnUGI()`
which allows users to create multiple UGI and we can login with multiple keytab
at the same process. The problem is in `reloginFromKeytab()` which uses the
incorrect keytabPrincipal. I think we can fix that by using the correct
keytabPrincipal without the static properties and submit the patch for this.
Hadoop is great because it suits all kinds of customer's scenarios. I hope we
can fix this if it is identified as bug even though it is not the best and
secured solution for all users.
was (Author: tobe):
Thanks [~eyang] for the suggestion. I have to declare that the client side JVM
will not get the keytab in our scenario and all the logic of HDFS operation are
implemented in server side which is different form Oozie.
I agree that using multi-keytab is not to best solution which requires clients
to submit the auth files. But in the real world, we are not allowed to edit the
core-site.xml to add the ProxyUser even though it is the one-off operation.
Back to this issue, now Hadoop provide `loginUserFromKeytabAndReturnUGI()` and
allow to create multiple UGI and we can login with multiple keytab at the same
process. The problem is in `reloginFromKeytab()` which uses the incorrect
keytabPrincipal. I think we can fix that by using the correct keytabPrincipal
without the static properties and submit the path for this.
Hadoop is great because it suits all kinds of customer's scenarios. I hope we
can fix this if it is identified as bug even though it is not the best and
secured solution for all users.
> Re-login from keytab for multiple UGI will use the same and incorrect
> keytabPrincipal
> -------------------------------------------------------------------------------------
>
> Key: HADOOP-16122
> URL: https://issues.apache.org/jira/browse/HADOOP-16122
> Project: Hadoop Common
> Issue Type: Bug
> Components: auth
> Reporter: chendihao
> Priority: Major
>
> In our scenario, we have a service to allow multiple users to access HDFS
> with their keytab. The users use different Hadoop user and permission to
> access the HDFS files. This service will run with multi-threads and create
> independent UGI object for each user and use its own UGI to create Hadoop
> FileSystem object to read/write HDFS.
>
> Since we have multiple Hadoop users in the same process, we have to use
> `loginUserFromKeytabAndReturnUGI` instead of `loginUserFromKeytab`. The
> `loginUserFromKeytabAndReturnUGI` will not do the re-login automatically.
> Then we have to call `checkTGTAndReloginFromKeytab` or `reloginFromKeytab`
> before the kerberos ticket expires.
>
> The issue is that `reloginFromKeytab` will always re-login with the same and
> incorrect keytab instead of the one from the expected UGI object. Because of
> this issue, we can only support multiple Hadoop users to login with their own
> keytabs at the first time but not re-login when the tickets expire. The logic
> of login and re-login is slightly different especially for updating the
> global static properties and it may be the bug of the implementation of that.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
