[
https://issues.apache.org/jira/browse/HADOOP-16122?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
chendihao updated HADOOP-16122:
-------------------------------
Description:
In our scenario, we have a service to allow multiple users to access HDFS with
their keytab. The users use different Hadoop user and permission to access the
HDFS files. This service will run with multi-threads and create independent UGI
object for each user and use its own UGI to create Hadoop FileSystem object to
read/write HDFS.
Since we have multiple Hadoop users in the same process, we have to use
`loginUserFromKeytabAndReturnUGI` instead of `loginUserFromKeytab`. The
`loginUserFromKeytabAndReturnUGI` will not do the re-login automatically. Then
we have to call `checkTGTAndReloginFromKeytab` or `reloginFromKeytab` before
the kerberos ticket expires.
The issue is that `reloginFromKeytab` will always re-login with the same and
incorrect keytab instead of the one from the expected UGI object. Because of
this issue, we can only support multiple Hadoop users to login with their own
keytabs at the first time but not re-login when the tickets expire. The logic
of login and re-login is slightly different especially for updating the global
static properties and it may be the bug of the implementation of that.
was:
In our scenario, we have a service to allow multiple users to access HDFS with
their keytab. The users have different Hadoop user and permission to access the
HDFS files. The service will run with multi-threads and create one independent
UGI object for each user and use the UGI to create Hadoop FileSystem object to
read/write HDFS.
Since we have multiple Hadoop users in the same process, we have to use
`loginUserFromKeytabAndReturnUGI` instead of `loginUserFromKeytab`. The
`loginUserFromKeytabAndReturnUGI` will not do the re-login automatically. Then
we have to call `checkTGTAndReloginFromKeytab` or `reloginFromKeytab` before
the kerberos ticket expires.
The issue is that `reloginFromKeytab` will re-login with the wrong users
instead of the one from the expected UGI object.Because of this issue, we can
only support multiple Hadoop users to login with their own keytabs but not
re-login when the tickets expire.
> Re-login from keytab for multiple UGI will use the same and incorrect
> keytabPrincipal
> -------------------------------------------------------------------------------------
>
> Key: HADOOP-16122
> URL: https://issues.apache.org/jira/browse/HADOOP-16122
> Project: Hadoop Common
> Issue Type: Bug
> Components: auth
> Reporter: chendihao
> Priority: Major
>
> In our scenario, we have a service to allow multiple users to access HDFS
> with their keytab. The users use different Hadoop user and permission to
> access the HDFS files. This service will run with multi-threads and create
> independent UGI object for each user and use its own UGI to create Hadoop
> FileSystem object to read/write HDFS.
>
> Since we have multiple Hadoop users in the same process, we have to use
> `loginUserFromKeytabAndReturnUGI` instead of `loginUserFromKeytab`. The
> `loginUserFromKeytabAndReturnUGI` will not do the re-login automatically.
> Then we have to call `checkTGTAndReloginFromKeytab` or `reloginFromKeytab`
> before the kerberos ticket expires.
>
> The issue is that `reloginFromKeytab` will always re-login with the same and
> incorrect keytab instead of the one from the expected UGI object. Because of
> this issue, we can only support multiple Hadoop users to login with their own
> keytabs at the first time but not re-login when the tickets expire. The logic
> of login and re-login is slightly different especially for updating the
> global static properties and it may be the bug of the implementation of that.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
