[
https://issues.apache.org/jira/browse/HADOOP-16521?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16911440#comment-16911440
]
Daryn Sharp commented on HADOOP-16521:
--------------------------------------
The task is attempting to fundamentally violate the semantics of a proxy user.
The task may only be the user identity during job submission as encoded in the
token. Proxying with a token is not allowed so it doesn't make sense for a
task to even create a proxy ugi.
The basic principles of impersonation:
# Kerberos authentication is allowed to impersonate. The server configuration
strictly limits based on real user, originating host, and permissible
users/groups to impersonate.
# Token authentication cannot be used to impersonate. A token is an immutable
user identity – which is either be a "normal" user or a proxy user. The server
will unconditionally reject impersonation via a token.
The authentication process:
# The client searches for tokens in the current ugi since it's the user's
identity – the real user's tokens do not represent the proxy user's identity.
If not found:
# The client uses kerberos credentials contained in a proxy ugi's real user;
non-proxy ugis use the current ugi.
# The client requests impersonation if the current ugi is a proxy ugi that
authenticated via kerberos.
# The client never requests impersonation via token authentication because it
will be rejected by the server.
> Subject has a contradiction between proxy user and real user
> ------------------------------------------------------------
>
> Key: HADOOP-16521
> URL: https://issues.apache.org/jira/browse/HADOOP-16521
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: Yicong Cai
> Priority: Major
>
> In the method UserGroupInformation#loginUserFromSubject, if you specify
> ProxyUser with HADOOP_PROXY_USER, and create a Proxy UGI instance, the valid
> Credentials are included in the User's PrivateCredentials. The UGI
> information is as follows:
>
> {code:java}
> proxyUGI
> |
> |--subject 1
> | |
> | |--principals
> | | |
> | | |--user
> | | |
> | | --real user
> | |
> | --privCredentials(all cred)
> |
> --proxy user
> {code}
>
> If you first login Real User and then use
> UserGroupInformation#createProxyUser to create a Proxy UGI, the valid
> Credentials information is included in RealUser's subject PrivateCredentials.
> The UGI information is as follows:
>
> {code:java}
> proxyUGI
> |
> |--subject 1
> | |
> | |--principals
> | | |
> | | |--user
> | | |
> | | --real user
> | | |
> | | --subject 2
> | | |
> | | --privCredentials(all cred)
> | |
> | --privCredentials(empty)
> |
> --proxy user{code}
>
> Use the proxy user in the HDFS FileSystem to perform token-related operations.
> However, in the RPC Client Connection, use the token in RealUser for
> SaslRpcClient#saslConnect.
> So the main contradiction is, should ProxyUser's real Credentials information
> be placed in ProxyUGI's subject, or should it be placed in RealUser's subject?
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
