[
https://issues.apache.org/jira/browse/HADOOP-15758?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16629025#comment-16629025
]
Daryn Sharp commented on HADOOP-15758:
--------------------------------------
{quote}Now as I see it, HDFS-3568 introduced an additional possibility -
application provide the user name as well as the ticket cache path. The
question is should it treat this as a proxy user scenario? If this scenario is
not valid, then we probably need to add documentation to discourage its use or
even throw an error?
{quote}
This api absolutely must not create a proxy user. The api is "I want to be this
user from this ticket cache". Nothing more than nothing less. There's a
fundamental misunderstanding of proxy users I'll attempt to clarify.
{quote}The user is trying to use this method signature to mimic proxy user
functionality e.g. provide ticket cache based kerberos credentials
{quote}
You cannot mimic a proxy user. A proxy user is specific construct. There is no
substitute. A proxy user is a ugi that lacks its own authentication
credentials, thus it explicitly encapsulates a "real" ugi that does contain
kerberos credentials. The real ugi's user must be specifically configured on
the target service to allow impersonation of the proxied user.
There is no correlation between a proxy user and a ticket cache. The real ugi
can supply ticket cache or keytab based credentials. All that matters is the
real user has credentials.
{quote}The alternative, to use [proxy users
functionality|https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html]
in Hadoop works as expected.
{quote}
It's not an alternative, it's the only option if you need impersonation.
Additionally, any impersonating service should never ever be ticket cache
based. Use a keytab. Otherwise you may be very surprised with proxy user
service morphs into a different user if/when someone/something does a kinit as
a different user.
> Filesystem.get(URI, Configuration, user) API not working with proxy users
> -------------------------------------------------------------------------
>
> Key: HADOOP-15758
> URL: https://issues.apache.org/jira/browse/HADOOP-15758
> Project: Hadoop Common
> Issue Type: Bug
> Affects Versions: 2.6.0, 3.0.0
> Reporter: Hrishikesh Gadre
> Assignee: Hrishikesh Gadre
> Priority: Major
> Attachments: HADOOP-15758-001.patch
>
>
> A user reported that the Filesystem.get API is not working as expected when
> they use the 'FileSystem.get(URI, Configuration, user)' method signature -
> but 'FileSystem.get(URI, Configuration)' works fine. The user is trying to
> use this method signature to mimic proxy user functionality e.g. provide
> ticket cache based kerberos credentials (using KRB5CCNAME env variable) for
> the proxy user and then in the java program pass name of the user to be
> impersonated. The alternative, to use [proxy users
> functionality|https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html]
> in Hadoop works as expected.
>
> Since FileSystem.get(URI, Configuration, user) is a public API and it does
> not restrict its usage in this fashion, we should ideally make it work or add
> docs to discourage its usage to implement proxy users.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
