[
https://issues.apache.org/jira/browse/HADOOP-15758?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16617935#comment-16617935
]
Hrishikesh Gadre commented on HADOOP-15758:
-------------------------------------------
[~daryn] thanks for looking into this issue. I investigated this a little
deeper and here is my understanding,
* HADOOP-6769 added the FileSystem.get(URI, Configuration, user) API to
support remote users. The idea was to have FileSystem implementation create a
remote user if the user argument is non-null. In the user parameter is null,
the logic was to use the currently logged in user.
* At some later point HDFS-3568 added an ability to obtain UGI using the
provided ticket cache file path. As part of this patch, a new method
"getBestUGI" was introduced in UserGroupInformation class. This method handles
three cases separately (a) if a ticket cache path is specified, it uses the
credentials to prepare UGI and ignores user argument (b) if a ticket cache path
is not specified and user name is provided, it creates a remote user and (c) if
the ticket cache path and user name are not specified, it uses the currently
logged in user.
Now as I see it, HDFS-3568 introduced an additional possibility - application
provide the user name as well as the ticket cache path. The question is should
it treat this as a proxy user scenario? If this scenario is not valid, then we
probably need to add documentation to discourage its use or even throw an error?
> Filesystem.get(URI, Configuration, user) API not working with proxy users
> -------------------------------------------------------------------------
>
> Key: HADOOP-15758
> URL: https://issues.apache.org/jira/browse/HADOOP-15758
> Project: Hadoop Common
> Issue Type: Bug
> Affects Versions: 2.6.0, 3.0.0
> Reporter: Hrishikesh Gadre
> Assignee: Hrishikesh Gadre
> Priority: Major
>
> A user reported that the Filesystem.get API is not working as expected when
> they use the 'FileSystem.get(URI, Configuration, user)' method signature -
> but 'FileSystem.get(URI, Configuration)' works fine. The user is trying to
> use this method signature to mimic proxy user functionality e.g. provide
> ticket cache based kerberos credentials (using KRB5CCNAME env variable) for
> the proxy user and then in the java program pass name of the user to be
> impersonated. The alternative, to use [proxy users
> functionality|https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html]
> in Hadoop works as expected.
>
> Since FileSystem.get(URI, Configuration, user) is a public API and it does
> not restrict its usage in this fashion, we should ideally make it work or add
> docs to discourage its usage to implement proxy users.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
