This is an automated email from the ASF dual-hosted git repository.
weichiu pushed a commit to branch branch-3.1
in repository https://gitbox.apache.org/repos/asf/hadoop.git
The following commit(s) were added to refs/heads/branch-3.1 by this push:
new b5022b0 HDFS-14668 Support Fuse with Users from multiple Security
Realms (#1739)
b5022b0 is described below
commit b5022b0515b5c026659e94c69221a281804dcfe9
Author: Istvan Fajth <[email protected]>
AuthorDate: Thu Feb 27 16:48:15 2020 +0100
HDFS-14668 Support Fuse with Users from multiple Security Realms (#1739)
(cherry picked from commit 57aa048516f5c5fe02441d213b52ce1bbeddf823)
(cherry picked from commit e42ac486e7eecb6a24ac95f1ceaf61d24060adef)
---
.../src/main/native/fuse-dfs/fuse_connect.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git
a/hadoop-hdfs-project/hadoop-hdfs-native-client/src/main/native/fuse-dfs/fuse_connect.c
b/hadoop-hdfs-project/hadoop-hdfs-native-client/src/main/native/fuse-dfs/fuse_connect.c
index 6ee4ad5..9bf526f 100644
---
a/hadoop-hdfs-project/hadoop-hdfs-native-client/src/main/native/fuse-dfs/fuse_connect.c
+++
b/hadoop-hdfs-project/hadoop-hdfs-native-client/src/main/native/fuse-dfs/fuse_connect.c
@@ -472,7 +472,6 @@ static int fuseNewConnect(const char *usrname, struct
fuse_context *ctx,
if (gPort) {
hdfsBuilderSetNameNodePort(bld, gPort);
}
- hdfsBuilderSetUserName(bld, usrname);
if (gHdfsAuthConf == AUTH_CONF_KERBEROS) {
findKerbTicketCachePath(ctx, kpath, sizeof(kpath));
if (stat(kpath, &st) < 0) {
@@ -491,6 +490,17 @@ static int fuseNewConnect(const char *usrname, struct
fuse_context *ctx,
ret = -ENOMEM;
goto error;
}
+ } else {
+ // earlier the username was set to the builder always, but due to
+ // HADOOP-9747 if we specify the username in case of kerberos
authentication
+ // the username will be used as the principal name, and that will conflict
+ // with ticket cache based authentication as we have the OS user name here
+ // not the real kerberos principal name. So with SIMPLE auth we pass on the
+ // OS username still, and the UGI will use that as the username, but with
+ // kerberos authentication we do not pass in the OS username and let the
+ // authentication happen with the principal who's ticket is in the ticket
+ // cache. (HDFS-15034 is still a possible improvement for SIMPLE AUTH.)
+ hdfsBuilderSetUserName(bld, usrname);
}
conn->usrname = strdup(usrname);
if (!conn->usrname) {
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
