[
https://issues.apache.org/jira/browse/HADOOP-14351?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Santhosh G Nayak updated HADOOP-14351:
--------------------------------------
Attachment: HADOOP-14351.1.patch
Attaching the patch containing the following changes.
1. Removed the following lines when doing SPENGO connection remote service.
{code}
if (!connectUgi.hasKerberosCredentials()) {
connectUgi = UserGroupInformation.getLoginUser();
}
{code}
2. Getting the delegation token in
{{RemoteSASKeyGeneratorImpl.getRelativeBlobSASUri()}},
{{RemoteSASKeyGeneratorImpl.getContainerSASUri()}} and
{{RemoteWasbAuthorizerImpl.authorize()}} methods as well.
> Azure: RemoteWasbAuthorizerImpl and RemoteSASKeyGeneratorImpl use Kerberos
> interactive user cache
> -------------------------------------------------------------------------------------------------
>
> Key: HADOOP-14351
> URL: https://issues.apache.org/jira/browse/HADOOP-14351
> Project: Hadoop Common
> Issue Type: Bug
> Components: fs/azure
> Affects Versions: 2.9.0
> Reporter: Santhosh G Nayak
> Assignee: Santhosh G Nayak
> Attachments: HADOOP-14351.1.patch
>
>
> Currently, {{RemoteWasbAuthorizerImpl.getRelativeBlobSASUri()}},
> {{RemoteWasbAuthorizerImpl.getContainerSASUri()}} and
> {{RemoteSASKeyGeneratorImpl.authorize()}} use Kerberos interactive user's
> ticket cache if the kerberos credential is not available for
> {{UserGroupInformation.getCurrentUser()}} or
> {{UserGroupInformation.getRealUser()}}.
> It results in usage of interactive user's ticket for impersonation, whenever
> services try to do File System operations as another user, which is incorrect.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
