[
https://issues.apache.org/jira/browse/HDFS-3553?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daryn Sharp updated HDFS-3553:
------------------------------
Attachment: HDFS-3553-1.branch-1.0.patch
Problem is in both the hftp client and the NN.
# NN is trying to perform authorization checks on a proxy token. Auth checks
only apply to UGI when there is no token, else NN rejects proxy tokens from DNs.
# Real user does not need to be checked for a proxy token. Task does not know
the real user. What's relevant is that the user has a token, not who vouched
for the token.
# Hftp is trying to negotiate kerberos as the effective user, but the effective
user of a proxy ugi has no TGT. The real user has the TGT.
Patch has been tested with direct distcp & oozie + distcp.
> Hftp proxy tokens are broken
> ----------------------------
>
> Key: HDFS-3553
> URL: https://issues.apache.org/jira/browse/HDFS-3553
> Project: Hadoop HDFS
> Issue Type: Bug
> Affects Versions: 1.0.2, 2.0.0-alpha, 3.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Attachments: HDFS-3553-1.branch-1.0.patch, HDFS-3553.branch-1.0.patch
>
>
> Proxy tokens are broken for hftp. The impact is systems using proxy tokens,
> such as oozie jobs, cannot use hftp.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
