[
https://issues.apache.org/jira/browse/HADOOP-13805?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15826597#comment-15826597
]
Yongjun Zhang commented on HADOOP-13805:
----------------------------------------
Thanks [~tucu00].
I think you listed two options, one is to make this potentially incompatible
change; the other is to create a new UGI and obsolete the old/incorrect
implementation later on.
It may not be too bad to go with option one. Say, with option two, we may hit
the issue reported here. With option one, we need to watch out how things are
broken due to the incompatible change, and fix accordingly.
If we go with option one, if client code is broken, the client code need to be
changed to do the renewal. Would you please help putting together a recommended
change as part of the release notes of this jira?
If we go with option one, I'm +1 on Wei-Chiu's rev6 (I found that it may not be
easy to add the test you proposed as a unit test due to the run time) Would you
please also take a look at rev6?
Thanks.
> UGI.getCurrentUser() fails if user does not have a keytab associated
> --------------------------------------------------------------------
>
> Key: HADOOP-13805
> URL: https://issues.apache.org/jira/browse/HADOOP-13805
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.8.0, 2.9.0, 3.0.0-alpha2
> Reporter: Alejandro Abdelnur
> Assignee: Xiao Chen
> Attachments: HADOOP-13805.006.patch, HADOOP-13805.01.patch,
> HADOOP-13805.02.patch, HADOOP-13805.03.patch, HADOOP-13805.04.patch,
> HADOOP-13805.05.patch
>
>
> HADOOP-13558 intention was to avoid UGI from trying to renew the TGT when the
> UGI is created from an existing Subject as in that case the keytab is not
> 'own' by UGI but by the creator of the Subject.
> In HADOOP-13558 we introduced a new private UGI constructor
> {{UserGroupInformation(Subject subject, final boolean externalKeyTab)}} and
> we use with TRUE only when doing a {{UGI.loginUserFromSubject()}}.
> The problem is, when we call {{UGI.getCurrentUser()}}, and UGI was created
> via a Subject (via the {{UGI.loginUserFromSubject()}} method), we call {{new
> UserGroupInformation(subject)}} which will delegate to
> {{UserGroupInformation(Subject subject, final boolean externalKeyTab)}} and
> that will use externalKeyTab == *FALSE*.
> Then the UGI returned by {{UGI.getCurrentUser()}} will attempt to login using
> a non-existing keytab if the TGT expired.
> This problem is experienced in {{KMSClientProvider}} when used by the HDFS
> filesystem client accessing an an encryption zone.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
