Ranadip created HADOOP-11478:
--------------------------------
Summary: HttpFSServer does not properly impersonate a real user
when executing "open" operation in a kerberised environment
Key: HADOOP-11478
URL: https://issues.apache.org/jira/browse/HADOOP-11478
Project: Hadoop Common
Issue Type: Bug
Affects Versions: 2.6.0
Environment: CentOS
Reporter: Ranadip
Priority: Blocker
Setup:
- Kerberos enabled in the cluster, including Hue SSO
- Encryption enabled using KMS. Encryption key and encryption zone created. KMS
key level ACL created to allow only real user to have all access to the key and
no one else.
Manifestation:
Using Hue, real user logged in using Kerberos credentials. For direct access,
user does kinit and then uses curl calls.
New file creation inside encryption zone goes ahead fine as expected.
But attempts to view the contents of the file fails with exception:
"User [httpfs] is not authorized to perform [DECRYPT_EEK] on key with ACL name
[mykeyname]!!"
Perhaps, this is linked to bug #HDFS-6849. In the file HttpFSServer.java, the
OPEN handler calls command.execute(fs) directly (and this fails). In CREATE,
that call is wrapped within fsExecute(user, command). Apparently, this seems to
cause the problem.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
