[
https://issues.apache.org/jira/browse/HADOOP-6299?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Owen O'Malley updated HADOOP-6299:
----------------------------------
Attachment: UserGroupInformation.java
This is a prototype of what I have in mind. In particular:
1. Reimplement UserGroupInformation (UGI) to be based entirely on JAAS.
2. UGI will have a single field that is the JAAS Subject that stores all of the
information.
3. UGI will support both Unix and Kerberos authentication. Unix is the
equivalent of what we have now. Kerberos will assume that the user has a TGT in
the ticket cache.
4. Servers will be able to login in using a Kerberos keytab and principal name
so that they run as the user.
5. There will be a method to create a remote user based solely on the user name.
6. It will use the Hadoop configuration to determine whether Kerberos or simple
authentication is used. The JAAS configuration is done programatically instead
of needing a separate configuration file in $JAVA_HOME.
7. Move User class into UserGroupInformation.
8. Remove Group class.
9. Remove UnixUserGroupInformation class.
> Use JAAS LoginContext for our login
> -----------------------------------
>
> Key: HADOOP-6299
> URL: https://issues.apache.org/jira/browse/HADOOP-6299
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Arun C Murthy
> Fix For: 0.22.0
>
> Attachments: UserGroupInformation.java
>
>
> Currently we use a custom login module in UnixUserGroupInformation for
> acquiring user-credentials (via config or exec'ing 'whoami'). We should
> switch to using standard JAAS components such as LoginContext and possibly
> implement a custom UnixLoginContext for our current requirements. In future
> we can use this for Kerberos etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
