[
https://issues.apache.org/jira/browse/HADOOP-13081?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sergey Shelukhin updated HADOOP-13081:
--------------------------------------
Description:
We have a scenario where we log in with kerberos as a certain user for some
tasks, but also want to add tokens to the resulting UGI that would be specific
to each task. We don't want to authenticate with kerberos for every task.
I am not sure how this can be accomplished with the existing UGI interface.
Perhaps some clone method would be helpful, similar to createProxyUser minus
the proxy stuff; or it could just relogin anew from ticket cache.
getUGIFromTicketCache seems like the best option in existing code, but there
doesn't appear to be a consistent way of handling ticket cache location - the
above method, that I only see called in test, is using a config setting that is
not used anywhere else, and the env variable for the location is not set on all
paths - trying to find the correct ticket cache and setting it in the config
for getUGIFromTicketCache seems even hackier than doing the clone via
reflection ;)
was:
We have a scenario where we log in with kerberos as a certain user for some
tasks, but also want to add tokens to the resulting UGI that would be specific
to each task.
I am not sure how this can be accomplished with the existing UGI interface.
Perhaps some clone method would be helpful, similar to createProxyUser minus
the proxy stuff; or it could just relogin anew from ticket cache.
getUGIFromTicketCache seems like the best option in existing code, but there
doesn't appear to be a consistent way of handling ticket cache location - the
above method, that I only see called in test, is using a config setting that is
not used anywhere else, and the env variable for the location is not set on all
paths - trying to find the correct ticket cache and setting it in the config
for getUGIFromTicketCache seems even hackier than doing the clone via
reflection ;)
> add the ability to create multiple UGIs/subjects from one kerberos login
> ------------------------------------------------------------------------
>
> Key: HADOOP-13081
> URL: https://issues.apache.org/jira/browse/HADOOP-13081
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: Sergey Shelukhin
>
> We have a scenario where we log in with kerberos as a certain user for some
> tasks, but also want to add tokens to the resulting UGI that would be
> specific to each task. We don't want to authenticate with kerberos for every
> task.
> I am not sure how this can be accomplished with the existing UGI interface.
> Perhaps some clone method would be helpful, similar to createProxyUser minus
> the proxy stuff; or it could just relogin anew from ticket cache.
> getUGIFromTicketCache seems like the best option in existing code, but there
> doesn't appear to be a consistent way of handling ticket cache location - the
> above method, that I only see called in test, is using a config setting that
> is not used anywhere else, and the env variable for the location is not set
> on all paths - trying to find the correct ticket cache and setting it in the
> config for getUGIFromTicketCache seems even hackier than doing the clone via
> reflection ;)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
