fapifta opened a new pull request #1739: HDFS-14668 Support Fuse with Users from multiple Security Realms URL: https://github.com/apache/hadoop/pull/1739 The rationale behind the change is the following: when a username is specified to the underlying calls of the FileSystem API, that is specified to the Java kerberos layer as a principal name, and if that does not match the principal in the ticket cache, authentication fails on the Java level. This renders FUSE usable in a kerberized environment, if and only if the user's ticket cache contains a principal who's name is matching the name of the OS user used to access the FUSE mount and the realm of the principal is the default realm per the /etc/krb5.conf file. Other cases have worked before the UserGroupInformation changes in HADOOP-9747, and after the change suggested by this PR. How it was tested: - In a non-kerberized environment after deploying the new compiled binary and mount hdfs via fuse: - a user can read/write any directory/file that is accessible by him based on his OS username - a user can't read/write any directory/file that is not accessible for him based on his OS username - username seems to be properly map to the Unix username and permission checks are performed as with the Java client if participating usernames and userids match on the mounting host and the NameNode. - In a kerberized environment after deploying the new compiled binary and mount hdfs via fuse: - a principal is correctly recognized and authorized regardless of the OS username - tested read/write with a principal with the OS username in the default realm - tested read/write with a principal with the OS username in a non-default but trusted realm - tested read/write with a principal with a name different from the OS username in the default realm - tested read/write with a principal with a name different from the OS username in a non-default but trusted realm The tests were running manually, as it requires a multiple realm setup with cross-realm trust, which we cannot emulate in the current test environment.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
