[
https://issues.apache.org/jira/browse/HADOOP-16122?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
chendihao updated HADOOP-16122:
-------------------------------
Summary: Re-login from keytab for multiple Hadoop users without using
global static UGI users (was: Re-login for multiple Hadoop users without
updating global static UGI attributes)
> Re-login from keytab for multiple Hadoop users without using global static
> UGI users
> ------------------------------------------------------------------------------------
>
> Key: HADOOP-16122
> URL: https://issues.apache.org/jira/browse/HADOOP-16122
> Project: Hadoop Common
> Issue Type: Bug
> Components: auth
> Reporter: chendihao
> Priority: Major
>
> In our scenario, we have a service to allow multiple users to access HDFS
> with their keytab. The users have different Hadoop user and permission to
> access the HDFS files. The service will run with multi-threads and create one
> independent UGI object for each user and use the UGI to create Hadoop
> FileSystem object to read/write HDFS.
>
> Since we have multiple Hadoop users in the same process, we have to use
> `loginUserFromKeytabAndReturnUGI` instead of `loginUserFromKeytab`. The
> `loginUserFromKeytabAndReturnUGI` will not do the re-login automatically.
> Then we have to call `checkTGTAndReloginFromKeytab` or `reloginFromKeytab`
> before the kerberos ticket expires.
>
> The issue is that `reloginFromKeytab` will use the static User and static
> Subject objects to check the authentication and re-login. In fact, we want to
> re-login with the current User and Subject instead of the global static one.
>
> Because of this issue, we can only support multiple Hadoop users to login
> with their own keytabs but not re-login when the tickets expire.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
