[
https://issues.apache.org/jira/browse/HADOOP-16521?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daryn Sharp resolved HADOOP-16521.
----------------------------------
Resolution: Invalid
> Subject has a contradiction between proxy user and real user
> ------------------------------------------------------------
>
> Key: HADOOP-16521
> URL: https://issues.apache.org/jira/browse/HADOOP-16521
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: Yicong Cai
> Priority: Major
>
> In the method UserGroupInformation#loginUserFromSubject, if you specify
> ProxyUser with HADOOP_PROXY_USER, and create a Proxy UGI instance, the valid
> Credentials are included in the User's PrivateCredentials. The UGI
> information is as follows:
>
> {code:java}
> proxyUGI
> |
> |--subject 1
> | |
> | |--principals
> | | |
> | | |--user
> | | |
> | | --real user
> | |
> | --privCredentials(all cred)
> |
> --proxy user
> {code}
>
> If you first login Real User and then use
> UserGroupInformation#createProxyUser to create a Proxy UGI, the valid
> Credentials information is included in RealUser's subject PrivateCredentials.
> The UGI information is as follows:
>
> {code:java}
> proxyUGI
> |
> |--subject 1
> | |
> | |--principals
> | | |
> | | |--user
> | | |
> | | --real user
> | | |
> | | --subject 2
> | | |
> | | --privCredentials(all cred)
> | |
> | --privCredentials(empty)
> |
> --proxy user{code}
>
> Use the proxy user in the HDFS FileSystem to perform token-related operations.
> However, in the RPC Client Connection, use the token in RealUser for
> SaslRpcClient#saslConnect.
> So the main contradiction is, should ProxyUser's real Credentials information
> be placed in ProxyUGI's subject, or should it be placed in RealUser's subject?
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-dev-h...@hadoop.apache.org
