[jira] [Updated] (HADOOP-9317) User cannot specify a kerberos keytab for commands

Tue, 19 Feb 2013 08:11:16 -0800 

     [ 
https://issues.apache.org/jira/browse/HADOOP-9317?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Daryn Sharp updated HADOOP-9317:
--------------------------------

    Attachment: HADOOP-9317.patch
                HADOOP-9317.branch-23.patch

(This issue is impacting production workflows)

The user can already specify a ticket cache via the env KRB5CCNAME.  Added 
corresponding envs for KRB5KEYTAB and KRB5PRINCIPAL.

If KRB5KEYTAB is defined, the ticket cache will continue to be searched first 
but it will fallback to the keytab if there is no ticket cache, no TGT in the 
ticket cache, or if the ticket cache TGT cannot be renewed.  KRB5PRINCIPAL may 
optionally be specified if the keytab principal does not match the unix user.

If both KRB5KEYTAB and KRB5CCNAME are defined, a TGT acquired via the keytab 
will be written to the ticket cache to avoid constantly acquiring a new TGT.

Removed an unnecessary re-instantiation of the UGI (just after it's 
instantiated and assigned an auth type) to avoid double writing the ticket 
cache. 

There is no change to existing behavior if the KRB5KEYTAB env is not defined.  
These changes allow a user to no longer have to issue periodic kinits, and to 
no longer have commands fail when the ticket is gone/empty/expired.
                
> User cannot specify a kerberos keytab for commands
> --------------------------------------------------
>
>                 Key: HADOOP-9317
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9317
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>            Priority: Critical
>         Attachments: HADOOP-9317.branch-23.patch, HADOOP-9317.patch
>
>
> {{UserGroupInformation}} only allows kerberos users to be logged in via the 
> ticket cache when running hadoop commands.  {{UGI}} allows a keytab to be 
> used, but it's only exposed programatically.  This forces keytab-based users 
> running hadoop commands to periodically issue a kinit from the keytab.  A 
> race condition exists during the kinit when the ticket cache is deleted and 
> re-created.  Hadoop commands will fail when the ticket cache does not 
> momentarily exist.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to