IBM JDK is one of the Java that default ticket cache to different than
/tmp/krb5* path. If I recall correctly, most logic had been implemented in UGI
by passing ticketCachePath parameter in 2012-13 time frame. The new addition
will follow the MIT Kerberos lookup order, this is a good improvement with low
risk. I think it's a great improvement to have.
Regards,
Eric
On 3/21/19, 8:35 AM, "Vipin Rathor" <v.rat...@gmail.com> wrote:
Thank you Steve for your reply.
> I'f you haven't guessed, Kerberos is an eternal support of pain and
suffering
Agreed. But it hurt us further when our utilities don’t behave in the way
they are expected to be.
> Any change must be matched with clarifications the hadoop security docs,
and KDiag extended to provide extra information about the source of the cache.
Understood. I’ll keep this in mind.
> One big risk here is over regressions across versions of clients
Yes, agreed again. We can keep the current behavior intact and introduce
this change as a configurable option. I believe more Kerberos admins would like
to opt for this as this is how any Kerberos client is expected to work.
Suggestions/ comments?
Regards,
Vipin
> On Mar 19, 2019, at 03:27, Steve Loughran <ste...@cloudera.com.invalid>
wrote:
>
> I'f you haven't guessed, Kerberos is an eternal support of pain and
> suffering
>
> Any change must be matched with clarifications the hadoop security docs,
> and KDiag extended to provide extra information about the source of the
> cache.
>
> One big risk here is over regressions across versions of clients
>
>
>> On Mon, Mar 18, 2019 at 11:48 PM Vipin Rathor <v.rat...@gmail.com> wrote:
>>
>> Hello Devs,
>> I'm Vipin, a long time Apache Hadoop user and I like to tinker around in
my
>> free time. I've been a MIT Kerberos contributor in my past life.
>>
>> While chasing the Kerberos credential cache usage in Hadoop, I found out
>> that UGI code[1] makes use of KRB5CCNAME environment variable to find the
>> credential cache name and defaults to /tmp/krb5cc_$uid when there is no
>> KRB5CCNAME defined, while completely ignoring the values defined in
>> /etc/krb5.conf.
>>
>> As per MIT Kerberos doc[2], the correct credential cache location logic
>> should be:
>> ****************************
>> Default ccache name
>> The default credential cache name is determined by the following, in
>> descending order of priority:
>> The KRB5CCNAME environment variable. For example,
>> KRB5CCNAME=DIR:/mydir/.
>> The default_ccache_name profile variable in [libdefaults].
>> The hardcoded default, DEFCCNAME.
>> ****************************
>>
>> I propose to include support for reading default_ccache_name from
>> /etc/krb5.conf while deciding the right Kerberos credential cache to use.
>>
>> I am testing a patch currently but wanted to check what does the
community
>> think before submitting.
>>
>> Thanks for reading and I'm open to discuss any suggestions.
>>
>> Regards,
>> Vipin
>>
>> [1]
>>
>>
https://github.com/apache/hadoop/blob/ae3a2c3851cbf7f010f7ae5734ed9e2dbac5d50c/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java#L2045
>> [2]
>>
>>
https://web.mit.edu/kerberos/krb5-1.15/doc/basic/ccache_def.html#default-ccache-name
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-dev-h...@hadoop.apache.org
