[jira] [Commented] (HADOOP-16521) Subject has a contradiction between proxy user and real user

Tue, 20 Aug 2019 08:59:09 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-16521?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16911494#comment-16911494
 ] 

Yicong Cai commented on HADOOP-16521:
-------------------------------------

[~daryn] Thank you very much for your detailed guidance. I neglected the basic 
principles of impersonation.

 

So: to solve the problem of proxy user in Hadoop Archive Logs tool, Kerberos 
information should be attached to RealUser when Client submits tasks, so that 
Task can build legitimate ProxyUser smoothly. 

 

Is my understanding correct?

> Subject has a contradiction between proxy user and real user
> ------------------------------------------------------------
>
>                 Key: HADOOP-16521
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16521
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: Yicong Cai
>            Priority: Major
>
> In the method UserGroupInformation#loginUserFromSubject, if you specify 
> ProxyUser with HADOOP_PROXY_USER, and create a Proxy UGI instance, the valid 
> Credentials are included in the User's PrivateCredentials. The UGI 
> information is as follows:
>  
> {code:java}
>  proxyUGI
>  |
>  |--subject 1
>  | |
>  | |--principals
>  | | |
>  | | |--user
>  | | |
>  | |  --real user
>  | |
>  |  --privCredentials(all cred)
>  |
>   --proxy user
> {code}
>  
> If you first login Real User and then use 
> UserGroupInformation#createProxyUser to create a Proxy UGI, the valid 
> Credentials information is included in RealUser's subject PrivateCredentials. 
> The UGI information is as follows:
>  
> {code:java}
> proxyUGI
>  |
>  |--subject 1
>  | |
>  | |--principals
>  | | |
>  | | |--user
>  | | |
>  | |  --real user
>  | |    |
>  | |     --subject 2
>  | |       |
>  | |        --privCredentials(all cred)
>  | |
>  |  --privCredentials(empty)
>  |
>   --proxy user{code}
>  
> Use the proxy user in the HDFS FileSystem to perform token-related operations.
> However, in the RPC Client Connection, use the token in RealUser for 
> SaslRpcClient#saslConnect.
> So the main contradiction is, should ProxyUser's real Credentials information 
> be placed in ProxyUGI's subject, or should it be placed in RealUser's subject?



--
This message was sent by Atlassian Jira
(v8.3.2#803003)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to