[jira] Commented: (HADOOP-7101) UserGroupInformation.getCurrentUser() fails when called from non-Hadoop JAAS context

Thu, 13 Jan 2011 17:33:10 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-7101?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12981598#action_12981598
 ] 

Kan Zhang commented on HADOOP-7101:
-----------------------------------

I should note that the original code has an inconsistency in that the caller of 
getCurrentUser() never knows whether the returned currentUser is actually 
associated with the current AccessControlContext. If it is called in a doAs() 
block, then the returned currentUser is associated with the current 
AccessControlContext. Whereas if it is not called in a doAs() block, loginUser 
is returned (login is performed if needed) and this loginUser is NOT associated 
with the current AccessControlContext. This matters when we want to invoke, for 
example, Java GSS/Kerberos library, since these Java libraries will only check 
the current AccessControlContext for credentials. A cleaner approach would have 
been returning null when we're not in a doAs() block, to say that there is no 
currentUser being associated with current AccessControlContext. And if the 
caller wants to use the credentials of the loginUser, call loginUser.doAs() 
explicitly.

It's not the purpose of this patch to fix the above inconsistency. This patch 
simply extends the current semantics. So +1.

> UserGroupInformation.getCurrentUser() fails when called from non-Hadoop JAAS 
> context
> ------------------------------------------------------------------------------------
>
>                 Key: HADOOP-7101
>                 URL: https://issues.apache.org/jira/browse/HADOOP-7101
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.22.0
>            Reporter: Todd Lipcon
>            Assignee: Todd Lipcon
>            Priority: Blocker
>             Fix For: 0.22.0
>
>         Attachments: hadoop-7101.txt
>
>
> If a Hadoop client is run from inside a container like Tomcat, and the 
> current AccessControlContext has a Subject associated with it that is not 
> created by Hadoop, then UserGroupInformation.getCurrentUser() will throw 
> NoSuchElementException, since it assumes that any Subject will have a hadoop 
> User principal.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to