[ 
https://issues.apache.org/jira/browse/HADOOP-13081?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15508015#comment-15508015
 ] 

Kai Zheng commented on HADOOP-13081:
------------------------------------

This is very interesting. Thanks all for the details.

If Java assumes the not thread-safe and ordering on the credentials set, it may 
be hard to clone the UGI/subject correctly. It can also cause some troubles if 
the derived UGIs are out of sync thereafter.

Just curious:
[~daryn], I thought the change introduced here only provided a new method doing 
the UGI cloning and the corresponding test. It might not affect existing 
methods. Did this new method be called somewhere and cause your the trouble?

[~sershe], in what specific you will run into Kerberos ticket related codes 
after you do the UGI cloning and the 2nd doAs? 

At least, after reverting, we probably should add some comment in the class 
header, asserting that UGI isn't expected to be cloned due to the reasons found 
here.

> add the ability to create multiple UGIs/subjects from one kerberos login
> ------------------------------------------------------------------------
>
>                 Key: HADOOP-13081
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13081
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>            Reporter: Sergey Shelukhin
>            Assignee: Sergey Shelukhin
>             Fix For: 2.8.0, 3.0.0-alpha1
>
>         Attachments: HADOOP-13081.01.patch, HADOOP-13081.02.patch, 
> HADOOP-13081.02.patch, HADOOP-13081.03.patch, HADOOP-13081.03.patch, 
> HADOOP-13081.patch
>
>
> We have a scenario where we log in with kerberos as a certain user for some 
> tasks, but also want to add tokens to the resulting UGI that would be 
> specific to each task. We don't want to authenticate with kerberos for every 
> task.
> I am not sure how this can be accomplished with the existing UGI interface. 
> Perhaps some clone method would be helpful, similar to createProxyUser minus 
> the proxy stuff; or it could just relogin anew from ticket cache. 
> getUGIFromTicketCache seems like the best option in existing code, but there 
> doesn't appear to be a consistent way of handling ticket cache location - the 
> above method, that I only see called in test, is using a config setting that 
> is not used anywhere else, and the env variable for the location that is used 
> in the main ticket cache related methods is not set uniformly on all paths - 
> therefore, trying to find the correct ticket cache and passing it via the 
> config setting to getUGIFromTicketCache seems even hackier than doing the 
> clone via reflection ;) Moreover, getUGIFromTicketCache ignores the user 
> parameter on the main path - it logs a warning for multiple principals and 
> then logs in with first available.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to