[jira] [Commented] (HADOOP-16122) Re-login from keytab for multiple Hadoop users does not work

Tue, 19 Feb 2019 20:04:46 -0800 


    [ 
https://issues.apache.org/jira/browse/HADOOP-16122?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16772601#comment-16772601
 ] 

Eric Yang commented on HADOOP-16122:
------------------------------------

Granting service the ability to read end user keytab is dangerous and insecure. 
 Binary code runs by service can be tricked to read end user keytab for other 
purpose.  The recommended practice is to use impersonation (doAs).

{code}
proxyUser = UserGroupInformation.getLoginUser();
ugi = UserGroupInformation.createProxyUser(remoteUser, proxyUser);
ugi.doAs(new PrivilegedExceptionAction<Void>() {
          @Override
          public Void run() throws YarnException, IOException {
            try {
              .. // perform file system operations as remoteUser.
            } finally {
            }
            return null;
          }
});
{code}

Where proxyUser is the unix user who runs the service.  Multi-keytab practice 
is strongly discouraged.

> Re-login from keytab for multiple Hadoop users does not work
> ------------------------------------------------------------
>
>                 Key: HADOOP-16122
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16122
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: auth
>            Reporter: chendihao
>            Priority: Major
>
> In our scenario, we have a service to allow multiple users to access HDFS 
> with their keytab. The users have different Hadoop user and permission to 
> access the HDFS files. The service will run with multi-threads and create one 
> independent UGI object for each user and use the UGI to create Hadoop 
> FileSystem object to read/write HDFS.
>  
> Since we have multiple Hadoop users in the same process, we have to use 
> `loginUserFromKeytabAndReturnUGI` instead of `loginUserFromKeytab`. The 
> `loginUserFromKeytabAndReturnUGI` will not do the re-login automatically. 
> Then we have to call `checkTGTAndReloginFromKeytab` or `reloginFromKeytab` 
> before the kerberos ticket expires.
>  
> The issue is that `reloginFromKeytab` will re-login with the wrong users 
> instead of the one from the expected UGI object.Because of this issue, we can 
> only support multiple Hadoop users to login with their own keytabs but not 
> re-login when the tickets expire.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to