[jira] [Commented] (HADOOP-9567) Provide auto-renewal for keytab based logins

Fri, 28 Sep 2018 05:43:15 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-9567?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16631782#comment-16631782
 ] 

Wei-Chiu Chuang commented on HADOOP-9567:
-----------------------------------------

Thanks [~ghelmling] and [~hgadre] for the patch.

I've been reviewing the latest patch (rev 003). Functionality-wise, for the 
most part it seems to do what is expected. But UGI had been giving some 
headaches in the past, so I'd like to take the time to think in terms of 
various scenarios.

 

What should be expected if a user calls UGI#loginUserFromKeytab() multiple 
times? From the code it looks like only the first login user will be renewed. 
If the process calls loginUserFromKeytab() the second time, the user doesn't 
get renewed.

 

What if UGI#getLogin() is called (assuming the user already performed kinit, 
and getLogin() will login with tgt), followed by UGI#loginUserFromKeytab()? It 
seems the latter doesn't get renewed.

 

Supportability: it would be really helpful if there is a way to tell if the 
user will renew keytab automatically, or if it will renew tgt automatically.

> Provide auto-renewal for keytab based logins
> --------------------------------------------
>
>                 Key: HADOOP-9567
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9567
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 2.0.0-alpha
>            Reporter: Harsh J
>            Assignee: Hrishikesh Gadre
>            Priority: Minor
>         Attachments: HADOOP-9567-001.patch, HADOOP-9567-002.patch, 
> HADOOP-9567-003.patch, HADOOP-9567.branch-2.7.001.patch
>
>
> We do a renewal for cached tickets (obtained via kinit before using a Hadoop 
> application) but we explicitly seem to avoid doing a renewal for keytab based 
> logins (done from within the client code) when we could do that as well via a 
> similar thread.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to