[GitHub] accumulo pull request #273: ACCUMULO-4665 Use UGI with real Kerberos credent...

Mon, 26 Jun 2017 13:39:12 -0700 

Github user joshelser commented on a diff in the pull request:

    https://github.com/apache/accumulo/pull/273#discussion_r124114509
  
    --- Diff: 
core/src/main/java/org/apache/accumulo/core/client/security/tokens/KerberosToken.java
 ---
    @@ -70,18 +71,12 @@ public KerberosToken(String principal) throws 
IOException {
        *          Should the current Hadoop user be replaced with this user
        */
       public KerberosToken(String principal, File keytab, boolean 
replaceCurrentUser) throws IOException {
    -    requireNonNull(principal, "Principal was null");
    -    requireNonNull(keytab, "Keytab was null");
    +    this.principal = requireNonNull(principal, "Principal was null");
    +    this.keytab = requireNonNull(keytab, "Keytab was null");
         checkArgument(keytab.exists() && keytab.isFile(), "Keytab was not a 
normal file");
    -    UserGroupInformation ugi;
         if (replaceCurrentUser) {
           UserGroupInformation.loginUserFromKeytab(principal, 
keytab.getAbsolutePath());
    -      ugi = UserGroupInformation.getCurrentUser();
    --- End diff --
    
    Essentially, Accumulo's Kerberos support was written to support full 
principals as "usernames". Hadoop, however, has rules that define how 
principals are converted into "short names" and uses though.
    
    e.g. the Kerberos principal {{[email protected]}} would be shortened to 
{{accumulo}} by the default Hadoop rules (in core-site.xml).
    
    The problem is that Accumulo would treat {{accumulo}} and 
{{[email protected]}} differently. The check above that was removed was to 
remove this client-side check and let it happen server-side.
    
    The flaw was that when a user has their own Kerberos ticket and talking to 
Accumulo, this is likely programmer error. But in the case where I am a server 
making a request to Accumulo on behalf of a user, it prevents the server from 
writing "logical" code (the test case hopefully makes this clear).


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---

Reply via email to