[
https://issues.apache.org/jira/browse/HDFS-14668?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16989730#comment-16989730
]
Istvan Fajth commented on HDFS-14668:
-------------------------------------
After a couple of days thinking, and few hours of testing I decided to come up
with the given PR.
The main reasons I chose this solution is the following:
- the affected UGI API calls are public, and may be used in other projects,
where the necessary tunings might already have happened.
- there does not seem to be a good way of deciding whether the given username
is a valid principal name, and we can not implement FUSE specific solutions in
the UGI code
- I am not familiar enough with how other projects are using the UGI, this
phenomenon might cause problems there as well, and I am not sure why it was
necessary to add the username as a principal all the time from the UGI, and it
is not clear if this scenario was considered at that time, but without [~daryn]
I think we might not get this information ever so removing the newly added
behaviour does not seem to be a good option and can cause troubles in other
areas.
- this change has the least effect to any other code that has been written
The solution itself changes the connection builder setup, and in case of a
kerberized environment FUSE does not set the username, which renders the value
to null on the Java level properly, so that the Java kerberos layer from inside
the UGI calls will determine the principal's name from the ticket cache
provided.
In the non-kerberized environments, we still need to provide the username, as
in that case we are checking permissions against the OS user name, and we don't
want to loose this inside the FUSE logic either.
While I have been checking this, I came across the fact that inside FUSE we
could have check and if set use the value of the HADOOP_USER_NAME environment
variable, but we currently do not use it anywhere. I filed HDFS-15034 for this
improvement to track it.
> Support Fuse with Users from multiple Security Realms
> -----------------------------------------------------
>
> Key: HDFS-14668
> URL: https://issues.apache.org/jira/browse/HDFS-14668
> Project: Hadoop HDFS
> Issue Type: Improvement
> Components: fuse-dfs
> Reporter: Sailesh Patel
> Assignee: Istvan Fajth
> Priority: Minor
>
> Users from non-default krb5 domain can't use hadoop-fuse.
> There are 2 Realms with kdc.
> -one realm is for human users (USERS.COM.US)
> -the other is for service principals. (SERVICE.COM.US)
> Cross realm trust is setup.
> In krb5.conf the default domain is set to SERVICE.COM.US
> Users within USERS.COM.US Realm are not able to put any files to Fuse mounted
> location
> The client shows:
> cp: cannot create regular file ‘/hdfs_mount/tmp/hello_from_fuse.txt’:
> Input/output error
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
