Yicong Cai created HADOOP-16521:
-----------------------------------
Summary: Subject has a contradiction between proxy user and real
user
Key: HADOOP-16521
URL: https://issues.apache.org/jira/browse/HADOOP-16521
Project: Hadoop Common
Issue Type: Bug
Reporter: Yicong Cai
In the method UserGroupInformation#loginUserFromSubject, if you specify
ProxyUser with HADOOP_PROXY_USER, and create a Proxy UGI instance, the valid
Credentials are included in the User's PrivateCredentials. The UGI information
is as follows:
{code:java}
proxyUGI
|
|--subject 1
| |
| |--principals
| | |
| | |--user
| | |
| | --real user
| |
| --privCredentials(all cred)
|
--proxy user
{code}
If you first login Real User and then use UserGroupInformation#createProxyUser
to create a Proxy UGI, the valid Credentials information is included in
RealUser's subject PrivateCredentials. The UGI information is as follows:
{code:java}
proxyUGI
|
|--subject 1
| |
| |--principals
| | |
| | |--user
| | |
| | --real user
| | |
| | --subject 2
| | |
| | --privCredentials(all cred)
| |
| --privCredentials(empty)
|
--proxy user{code}
Use the proxy user in the HDFS FileSystem to perform token-related operations.
However, in the RPC Client Connection, use the token in RealUser for
SaslRpcClient#saslConnect.
So the main contradiction is, should ProxyUser's real Credentials information
be placed in ProxyUGI's subject, or should it be placed in RealUser's subject?
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
