[jira] [Updated] (HDFS-3367) WebHDFS doesn't use the logged in user when opening connections
[
https://issues.apache.org/jira/browse/HDFS-3367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daryn Sharp updated HDFS-3367:
--
Resolution: Fixed
Target Version/s: 2.0.3-alpha, 1.2.0, 3.0.0, 0.23.7 (was: 1.2.0, 3.0.0,
2.0.3-alpha, 0.23.7)
Hadoop Flags: Reviewed
Status: Resolved (was: Patch Available)
Thanks Alejandro, I have committed to trunk/2/23.
WebHDFS doesn't use the logged in user when opening connections
---
Key: HDFS-3367
URL: https://issues.apache.org/jira/browse/HDFS-3367
Project: Hadoop HDFS
Issue Type: Sub-task
Components: webhdfs
Affects Versions: 0.23.0, 1.0.2, 2.0.0-alpha, 3.0.0
Reporter: Jakob Homan
Assignee: Daryn Sharp
Priority: Critical
Attachments: HDFS-3367.branch-23.patch, HDFS-3367.branch-23.patch,
HDFS-3367.patch, HDFS-3367.patch, HDFS-3367.patch
Something along the lines of
{noformat}
UserGroupInformation.loginUserFromKeytab(blah blah)
Filesystem fs = FileSystem.get(new URI(webhdfs://blah), conf)
{noformat}
doesn't work as webhdfs doesn't use the correct context and the user shows up
to the spnego filter without kerberos credentials:
{noformat}Exception in thread main java.io.IOException: Authentication
failed,
url=http://NN:50070/webhdfs/v1/?op=GETDELEGATIONTOKENuser.name=USER
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getHttpUrlConnection(WebHdfsFileSystem.java:337)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.httpConnect(WebHdfsFileSystem.java:347)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.run(WebHdfsFileSystem.java:403)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getDelegationToken(WebHdfsFileSystem.java:675)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.initDelegationToken(WebHdfsFileSystem.java:176)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.initialize(WebHdfsFileSystem.java:160)
at
org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:1386)
...
Caused by:
org.apache.hadoop.security.authentication.client.AuthenticationException:
GSSException: No valid credentials provided (Mechanism level: Failed to find
any Kerberos tgt)
at
org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:232)
at
org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:141)
at
org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:217)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getHttpUrlConnection(WebHdfsFileSystem.java:332)
... 16 more
Caused by: GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos tgt)
at
sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:130)
...{noformat}
Explicitly getting the current user's context via a doAs block works, but
this should be done by webhdfs.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HDFS-3367) WebHDFS doesn't use the logged in user when opening connections
[
https://issues.apache.org/jira/browse/HDFS-3367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daryn Sharp updated HDFS-3367:
--
Issue Type: Sub-task (was: Bug)
Parent: HDFS-4576
WebHDFS doesn't use the logged in user when opening connections
---
Key: HDFS-3367
URL: https://issues.apache.org/jira/browse/HDFS-3367
Project: Hadoop HDFS
Issue Type: Sub-task
Components: webhdfs
Affects Versions: 0.23.0, 1.0.2, 2.0.0-alpha, 3.0.0
Reporter: Jakob Homan
Assignee: Daryn Sharp
Priority: Critical
Attachments: HDFS-3367.branch-23.patch, HDFS-3367.patch,
HDFS-3367.patch
Something along the lines of
{noformat}
UserGroupInformation.loginUserFromKeytab(blah blah)
Filesystem fs = FileSystem.get(new URI(webhdfs://blah), conf)
{noformat}
doesn't work as webhdfs doesn't use the correct context and the user shows up
to the spnego filter without kerberos credentials:
{noformat}Exception in thread main java.io.IOException: Authentication
failed,
url=http://NN:50070/webhdfs/v1/?op=GETDELEGATIONTOKENuser.name=USER
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getHttpUrlConnection(WebHdfsFileSystem.java:337)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.httpConnect(WebHdfsFileSystem.java:347)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.run(WebHdfsFileSystem.java:403)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getDelegationToken(WebHdfsFileSystem.java:675)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.initDelegationToken(WebHdfsFileSystem.java:176)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.initialize(WebHdfsFileSystem.java:160)
at
org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:1386)
...
Caused by:
org.apache.hadoop.security.authentication.client.AuthenticationException:
GSSException: No valid credentials provided (Mechanism level: Failed to find
any Kerberos tgt)
at
org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:232)
at
org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:141)
at
org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:217)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getHttpUrlConnection(WebHdfsFileSystem.java:332)
... 16 more
Caused by: GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos tgt)
at
sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:130)
...{noformat}
Explicitly getting the current user's context via a doAs block works, but
this should be done by webhdfs.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HDFS-3367) WebHDFS doesn't use the logged in user when opening connections
[
https://issues.apache.org/jira/browse/HDFS-3367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daryn Sharp updated HDFS-3367:
--
Attachment: HDFS-3367.patch
HDFS-3367.branch-23.patch
Uses the instantiating UGI to open all connections. Authenticated urls are
only used for token ops, since all others are secured by a delegation token.
WebHDFS doesn't use the logged in user when opening connections
---
Key: HDFS-3367
URL: https://issues.apache.org/jira/browse/HDFS-3367
Project: Hadoop HDFS
Issue Type: Sub-task
Components: webhdfs
Affects Versions: 0.23.0, 1.0.2, 2.0.0-alpha, 3.0.0
Reporter: Jakob Homan
Assignee: Daryn Sharp
Priority: Critical
Attachments: HDFS-3367.branch-23.patch, HDFS-3367.branch-23.patch,
HDFS-3367.patch, HDFS-3367.patch, HDFS-3367.patch
Something along the lines of
{noformat}
UserGroupInformation.loginUserFromKeytab(blah blah)
Filesystem fs = FileSystem.get(new URI(webhdfs://blah), conf)
{noformat}
doesn't work as webhdfs doesn't use the correct context and the user shows up
to the spnego filter without kerberos credentials:
{noformat}Exception in thread main java.io.IOException: Authentication
failed,
url=http://NN:50070/webhdfs/v1/?op=GETDELEGATIONTOKENuser.name=USER
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getHttpUrlConnection(WebHdfsFileSystem.java:337)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.httpConnect(WebHdfsFileSystem.java:347)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.run(WebHdfsFileSystem.java:403)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getDelegationToken(WebHdfsFileSystem.java:675)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.initDelegationToken(WebHdfsFileSystem.java:176)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.initialize(WebHdfsFileSystem.java:160)
at
org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:1386)
...
Caused by:
org.apache.hadoop.security.authentication.client.AuthenticationException:
GSSException: No valid credentials provided (Mechanism level: Failed to find
any Kerberos tgt)
at
org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:232)
at
org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:141)
at
org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:217)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getHttpUrlConnection(WebHdfsFileSystem.java:332)
... 16 more
Caused by: GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos tgt)
at
sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:130)
...{noformat}
Explicitly getting the current user's context via a doAs block works, but
this should be done by webhdfs.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HDFS-3367) WebHDFS doesn't use the logged in user when opening connections
[
https://issues.apache.org/jira/browse/HDFS-3367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daryn Sharp updated HDFS-3367:
--
Attachment: HDFS-3367.patch
Will report back with testing results shortly.
WebHDFS doesn't use the logged in user when opening connections
---
Key: HDFS-3367
URL: https://issues.apache.org/jira/browse/HDFS-3367
Project: Hadoop HDFS
Issue Type: Bug
Components: webhdfs
Affects Versions: 0.23.0, 1.0.2, 2.0.0-alpha, 3.0.0
Reporter: Jakob Homan
Assignee: Daryn Sharp
Priority: Critical
Attachments: HDFS-3367.branch-23.patch, HDFS-3367.patch,
HDFS-3367.patch
Something along the lines of
{noformat}
UserGroupInformation.loginUserFromKeytab(blah blah)
Filesystem fs = FileSystem.get(new URI(webhdfs://blah), conf)
{noformat}
doesn't work as webhdfs doesn't use the correct context and the user shows up
to the spnego filter without kerberos credentials:
{noformat}Exception in thread main java.io.IOException: Authentication
failed,
url=http://NN:50070/webhdfs/v1/?op=GETDELEGATIONTOKENuser.name=USER
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getHttpUrlConnection(WebHdfsFileSystem.java:337)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.httpConnect(WebHdfsFileSystem.java:347)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.run(WebHdfsFileSystem.java:403)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getDelegationToken(WebHdfsFileSystem.java:675)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.initDelegationToken(WebHdfsFileSystem.java:176)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.initialize(WebHdfsFileSystem.java:160)
at
org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:1386)
...
Caused by:
org.apache.hadoop.security.authentication.client.AuthenticationException:
GSSException: No valid credentials provided (Mechanism level: Failed to find
any Kerberos tgt)
at
org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:232)
at
org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:141)
at
org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:217)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getHttpUrlConnection(WebHdfsFileSystem.java:332)
... 16 more
Caused by: GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos tgt)
at
sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:130)
...{noformat}
Explicitly getting the current user's context via a doAs block works, but
this should be done by webhdfs.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HDFS-3367) WebHDFS doesn't use the logged in user when opening connections
[
https://issues.apache.org/jira/browse/HDFS-3367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daryn Sharp updated HDFS-3367:
--
Attachment: HDFS-3367.patch
HDFS-3367.branch-23.patch
Wrap the opening of a connection with a doAs, similar to hftp. No tests are
included since kerberos must be enabled, but it has been successfully tested
with an internal application that is encountering this issue.
WebHDFS doesn't use the logged in user when opening connections
---
Key: HDFS-3367
URL: https://issues.apache.org/jira/browse/HDFS-3367
Project: Hadoop HDFS
Issue Type: Bug
Components: webhdfs
Affects Versions: 0.23.0, 1.0.2, 2.0.0-alpha, 3.0.0
Reporter: Jakob Homan
Assignee: Daryn Sharp
Priority: Critical
Attachments: HDFS-3367.branch-23.patch, HDFS-3367.patch
Something along the lines of
{noformat}
UserGroupInformation.loginUserFromKeytab(blah blah)
Filesystem fs = FileSystem.get(new URI(webhdfs://blah), conf)
{noformat}
doesn't work as webhdfs doesn't use the correct context and the user shows up
to the spnego filter without kerberos credentials:
{noformat}Exception in thread main java.io.IOException: Authentication
failed,
url=http://NN:50070/webhdfs/v1/?op=GETDELEGATIONTOKENuser.name=USER
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getHttpUrlConnection(WebHdfsFileSystem.java:337)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.httpConnect(WebHdfsFileSystem.java:347)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.run(WebHdfsFileSystem.java:403)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getDelegationToken(WebHdfsFileSystem.java:675)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.initDelegationToken(WebHdfsFileSystem.java:176)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.initialize(WebHdfsFileSystem.java:160)
at
org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:1386)
...
Caused by:
org.apache.hadoop.security.authentication.client.AuthenticationException:
GSSException: No valid credentials provided (Mechanism level: Failed to find
any Kerberos tgt)
at
org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:232)
at
org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:141)
at
org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:217)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getHttpUrlConnection(WebHdfsFileSystem.java:332)
... 16 more
Caused by: GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos tgt)
at
sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:130)
...{noformat}
Explicitly getting the current user's context via a doAs block works, but
this should be done by webhdfs.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HDFS-3367) WebHDFS doesn't use the logged in user when opening connections
[
https://issues.apache.org/jira/browse/HDFS-3367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daryn Sharp updated HDFS-3367:
--
Status: Patch Available (was: Open)
WebHDFS doesn't use the logged in user when opening connections
---
Key: HDFS-3367
URL: https://issues.apache.org/jira/browse/HDFS-3367
Project: Hadoop HDFS
Issue Type: Bug
Components: webhdfs
Affects Versions: 2.0.0-alpha, 1.0.2, 0.23.0, 3.0.0
Reporter: Jakob Homan
Assignee: Daryn Sharp
Priority: Critical
Attachments: HDFS-3367.branch-23.patch, HDFS-3367.patch
Something along the lines of
{noformat}
UserGroupInformation.loginUserFromKeytab(blah blah)
Filesystem fs = FileSystem.get(new URI(webhdfs://blah), conf)
{noformat}
doesn't work as webhdfs doesn't use the correct context and the user shows up
to the spnego filter without kerberos credentials:
{noformat}Exception in thread main java.io.IOException: Authentication
failed,
url=http://NN:50070/webhdfs/v1/?op=GETDELEGATIONTOKENuser.name=USER
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getHttpUrlConnection(WebHdfsFileSystem.java:337)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.httpConnect(WebHdfsFileSystem.java:347)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.run(WebHdfsFileSystem.java:403)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getDelegationToken(WebHdfsFileSystem.java:675)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.initDelegationToken(WebHdfsFileSystem.java:176)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.initialize(WebHdfsFileSystem.java:160)
at
org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:1386)
...
Caused by:
org.apache.hadoop.security.authentication.client.AuthenticationException:
GSSException: No valid credentials provided (Mechanism level: Failed to find
any Kerberos tgt)
at
org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:232)
at
org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:141)
at
org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:217)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getHttpUrlConnection(WebHdfsFileSystem.java:332)
... 16 more
Caused by: GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos tgt)
at
sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:130)
...{noformat}
Explicitly getting the current user's context via a doAs block works, but
this should be done by webhdfs.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HDFS-3367) WebHDFS doesn't use the logged in user when opening connections
[
https://issues.apache.org/jira/browse/HDFS-3367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daryn Sharp updated HDFS-3367:
--
Target Version/s: 1.2.0, 3.0.0, 2.0.3-alpha, 0.23.7 (was: 1.2.0)
Affects Version/s: 3.0.0
0.23.0
2.0.0-alpha
WebHDFS doesn't use the logged in user when opening connections
---
Key: HDFS-3367
URL: https://issues.apache.org/jira/browse/HDFS-3367
Project: Hadoop HDFS
Issue Type: Bug
Components: webhdfs
Affects Versions: 0.23.0, 1.0.2, 2.0.0-alpha, 3.0.0
Reporter: Jakob Homan
Assignee: Daryn Sharp
Priority: Critical
Something along the lines of
{noformat}
UserGroupInformation.loginUserFromKeytab(blah blah)
Filesystem fs = FileSystem.get(new URI(webhdfs://blah), conf)
{noformat}
doesn't work as webhdfs doesn't use the correct context and the user shows up
to the spnego filter without kerberos credentials:
{noformat}Exception in thread main java.io.IOException: Authentication
failed,
url=http://NN:50070/webhdfs/v1/?op=GETDELEGATIONTOKENuser.name=USER
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getHttpUrlConnection(WebHdfsFileSystem.java:337)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.httpConnect(WebHdfsFileSystem.java:347)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.run(WebHdfsFileSystem.java:403)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getDelegationToken(WebHdfsFileSystem.java:675)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.initDelegationToken(WebHdfsFileSystem.java:176)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.initialize(WebHdfsFileSystem.java:160)
at
org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:1386)
...
Caused by:
org.apache.hadoop.security.authentication.client.AuthenticationException:
GSSException: No valid credentials provided (Mechanism level: Failed to find
any Kerberos tgt)
at
org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:232)
at
org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:141)
at
org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:217)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getHttpUrlConnection(WebHdfsFileSystem.java:332)
... 16 more
Caused by: GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos tgt)
at
sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:130)
...{noformat}
Explicitly getting the current user's context via a doAs block works, but
this should be done by webhdfs.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HDFS-3367) WebHDFS doesn't use the logged in user when opening connections
[
https://issues.apache.org/jira/browse/HDFS-3367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Eli Collins updated HDFS-3367:
--
Priority: Critical (was: Major)
Target Version/s: 1.2.0
Bumping since w/o this secure distcp using webhdfs won't work for some people.
WebHDFS doesn't use the logged in user when opening connections
---
Key: HDFS-3367
URL: https://issues.apache.org/jira/browse/HDFS-3367
Project: Hadoop HDFS
Issue Type: Bug
Components: webhdfs
Affects Versions: 1.0.2
Reporter: Jakob Homan
Priority: Critical
Something along the lines of
{noformat}
UserGroupInformation.loginUserFromKeytab(blah blah)
Filesystem fs = FileSystem.get(new URI(webhdfs://blah), conf)
{noformat}
doesn't work as webhdfs doesn't use the correct context and the user shows up
to the spnego filter without kerberos credentials:
{noformat}Exception in thread main java.io.IOException: Authentication
failed,
url=http://NN:50070/webhdfs/v1/?op=GETDELEGATIONTOKENuser.name=USER
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getHttpUrlConnection(WebHdfsFileSystem.java:337)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.httpConnect(WebHdfsFileSystem.java:347)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.run(WebHdfsFileSystem.java:403)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getDelegationToken(WebHdfsFileSystem.java:675)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.initDelegationToken(WebHdfsFileSystem.java:176)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.initialize(WebHdfsFileSystem.java:160)
at
org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:1386)
...
Caused by:
org.apache.hadoop.security.authentication.client.AuthenticationException:
GSSException: No valid credentials provided (Mechanism level: Failed to find
any Kerberos tgt)
at
org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:232)
at
org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:141)
at
org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:217)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getHttpUrlConnection(WebHdfsFileSystem.java:332)
... 16 more
Caused by: GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos tgt)
at
sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:130)
...{noformat}
Explicitly getting the current user's context via a doAs block works, but
this should be done by webhdfs.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HDFS-3367) WebHDFS doesn't use the logged in user when opening connections
[
https://issues.apache.org/jira/browse/HDFS-3367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Eli Collins updated HDFS-3367:
--
Component/s: webhdfs
WebHDFS doesn't use the logged in user when opening connections
---
Key: HDFS-3367
URL: https://issues.apache.org/jira/browse/HDFS-3367
Project: Hadoop HDFS
Issue Type: Bug
Components: webhdfs
Affects Versions: 1.0.2
Reporter: Jakob Homan
Priority: Critical
Something along the lines of
{noformat}
UserGroupInformation.loginUserFromKeytab(blah blah)
Filesystem fs = FileSystem.get(new URI(webhdfs://blah), conf)
{noformat}
doesn't work as webhdfs doesn't use the correct context and the user shows up
to the spnego filter without kerberos credentials:
{noformat}Exception in thread main java.io.IOException: Authentication
failed,
url=http://NN:50070/webhdfs/v1/?op=GETDELEGATIONTOKENuser.name=USER
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getHttpUrlConnection(WebHdfsFileSystem.java:337)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.httpConnect(WebHdfsFileSystem.java:347)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.run(WebHdfsFileSystem.java:403)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getDelegationToken(WebHdfsFileSystem.java:675)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.initDelegationToken(WebHdfsFileSystem.java:176)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.initialize(WebHdfsFileSystem.java:160)
at
org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:1386)
...
Caused by:
org.apache.hadoop.security.authentication.client.AuthenticationException:
GSSException: No valid credentials provided (Mechanism level: Failed to find
any Kerberos tgt)
at
org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:232)
at
org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:141)
at
org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:217)
at
org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getHttpUrlConnection(WebHdfsFileSystem.java:332)
... 16 more
Caused by: GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos tgt)
at
sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:130)
...{noformat}
Explicitly getting the current user's context via a doAs block works, but
this should be done by webhdfs.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
