[
https://issues.apache.org/jira/browse/HADOOP-13805?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15666971#comment-15666971
]
Alejandro Abdelnur commented on HADOOP-13805:
---------------------------------------------
[~xiaochen],
If you create a {{UGI}} from {{Subject}} externally, this can done only via the
{{getUGIFromSubject(Subject)}} method, and in that case the UGI should not
relogin from keytab as we already discussed.
If you create a {{UGI}} from another {{UGI}}, ie via {{getCurrentUser()}}, the
created {{UGI}} should not relogin from keytab, the relogin should be done by
the creator {{UGI}} if it has a keytab.
My point is, any {{UGI}} created from a {{Subject}} (directly or via another
{{UGI}}) should never attempt to relogin, it is the creator of the
responsibility to do so.
The bug i'm hitting now is that {{UGI.getCurrentUser()}} creates a new UGI and
this tries to do relogin from keytab even if there is no keytab associated to
the current UGI. This happens when HDFS client is accessing encryption zones,
specifically the HDFS client interacting with the KMS client to get encryption
keys.
> UGI.getCurrentUser() fails if user does not have a keytab associated
> --------------------------------------------------------------------
>
> Key: HADOOP-13805
> URL: https://issues.apache.org/jira/browse/HADOOP-13805
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.8.0, 2.9.0, 3.0.0-alpha2
> Reporter: Alejandro Abdelnur
> Assignee: Xiao Chen
> Priority: Blocker
>
> HADOOP-13558 intention was to avoid UGI from trying to renew the TGT when the
> UGI is created from an existing Subject as in that case the keytab is not
> 'own' by UGI but by the creator of the Subject.
> In HADOOP-13558 we introduced a new private UGI constructor
> {{UserGroupInformation(Subject subject, final boolean externalKeyTab)}} and
> we use with TRUE only when doing a {{UGI.loginUserFromSubject()}}.
> The problem is, when we call {{UGI.getCurrentUser()}}, and UGI was created
> via a Subject (via the {{UGI.loginUserFromSubject()}} method), we call {{new
> UserGroupInformation(subject)}} which will delegate to
> {{UserGroupInformation(Subject subject, final boolean externalKeyTab)}} and
> that will use externalKeyTab == *FALSE*.
> Then the UGI returned by {{UGI.getCurrentUser()}} will attempt to login using
> a non-existing keytab if the TGT expired.
> This problem is experienced in {{KMSClientProvider}} when used by the HDFS
> filesystem client accessing an an encryption zone.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
