[
https://issues.apache.org/jira/browse/HADOOP-16977?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17085828#comment-17085828
]
Steve Loughran commented on HADOOP-16977:
-----------------------------------------
# There's some deep complexity here related to UGI launch, dynamically loaded
resources (HdfsConfiguration), YarnConfiguration, ...
# UGI and Kerberos are one of the most sensitive bits of the code of the system
on account of
it being low-level and foundational security code, using APIs in Java which we
are probably the heaviest users, and integrating with native OS libraries,
configs and remote services.
# UGI static fields are shared across all threads and all UGI instances in a
process, including multitenant processes (hive,...)
# We are scared of UGI and changes to it.
We can't change the config on a thread because that will affect every other
thread. If you look at its uses today, other than in tests, we only use it on
process launch, before any attempt to start talking to remote services or start
offering services is kicked off.
The best practise to create accounts for a user is to create a new UGI, then do
ugi.doAs() { FileSystem.get(URI, conf)}
So, WONTFIX I'm afraid. Sorry.
> in javaApi, UGI params should be overidden through FileSystem conf
> ------------------------------------------------------------------
>
> Key: HADOOP-16977
> URL: https://issues.apache.org/jira/browse/HADOOP-16977
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.7.2, 3.2.0
> Reporter: Hongbing Wang
> Priority: Major
> Attachments: HADOOP-16977.001.patch, HADOOP-16977.002.patch
>
>
> org.apache.hadoop.security.UserGroupInformation#ensureInitialized,will always
> get the configure from the configuration files. Like below:
> {code:java}
> private static void ensureInitialized() {
> if (conf == null) {
> synchronized(UserGroupInformation.class) {
> if (conf == null) { // someone might have beat us
> initialize(new Configuration(), false);
> }
> }
> }
> }{code}
> So that, if FileSystem is created through FileSystem#get or
> FileSystem#newInstance with conf, the conf values different from the
> configuration files will not take effect in UserGroupInformation. E.g:
> {code:java}
> Configuration conf = new Configuration();
> conf.set("k1","v1");
> conf.set("k2","v2");
> FileSystem fs = FileSystem.get(uri, conf);{code}
> "k1" or "k2" will not work in UserGroupInformation.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
