Wei-Chiu Chuang created HDFS-13520: -------------------------------------- Summary: fuse_dfs to support keytab based login Key: HDFS-13520 URL: https://issues.apache.org/jira/browse/HDFS-13520 Project: Hadoop HDFS Issue Type: Improvement Affects Versions: 2.6.0 Environment: Hadoop 2.6/3.0, Kerberized, fuse_dfs Reporter: Wei-Chiu Chuang
It looks like the current fuse_dfs implementation supports login using current kerberos credential. If the tgt expires, it fails with the following error: {noformat} hdfsBuilderConnect(forceNewInstance=1, nn=hdfs://ns1, port=0, kerbTicketCachePath=/tmp/krb5cc_2000, userName=systest) error: LoginException: Unable to obtain Principal Name for authentication org.apache.hadoop.security.KerberosAuthException: failure to login: for user: systest using ticket cache file: /tmp/krb5cc_2000 javax.security.auth.login.LoginException: Unable to obtain Principal Name for authentication at org.apache.hadoop.security.UserGroupInformation.getUGIFromTicketCache(UserGroupInformation.java:807) at org.apache.hadoop.security.UserGroupInformation.getBestUGI(UserGroupInformation.java:742) at org.apache.hadoop.fs.FileSystem.newInstance(FileSystem.java:404) Caused by: javax.security.auth.login.LoginException: Unable to obtain Principal Name for authentication at com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:841) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:704) at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at javax.security.auth.login.LoginContext.login(LoginContext.java:587) at org.apache.hadoop.security.UserGroupInformation.getUGIFromTicketCache(UserGroupInformation.java:788) ... 2 more {noformat} This is reproducible easily in a test cluster with an extremely short ticket life time (e.g. 1 minute) Note: HDFS-3608 addresses a similar issue, but in this case, since the ticket cache file itself does not change, fuse couldn't detect & update. It looks like it should call UserGroupInformation#loginFromKeytab() in the beginning, similar to how balancer supports keytab based login (HDFS-9804). Thanks [~xiaochen] for the idea. Or alternatively, have a background process that continuously relogin from keytab. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: hdfs-dev-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-dev-h...@hadoop.apache.org