[
https://issues.apache.org/jira/browse/HADOOP-9840?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13731816#comment-13731816
]
Kai Zheng commented on HADOOP-9840:
-----------------------------------
bq.This appears to be further locking in that a UGI may have one and only one
login identity by using auth-specific subclasses of User.
UGI wraps subject, which can contain multiple principals. We can add more than
one auth-specific subclass objects as identities or principals to it. By using
auth-specific subclass, we can customize methods to get groups, and arbitrary
attributes according to specific auth. This should be helpful for
TokenAuth/HSSO where we need to add a construct like IdentityTokenUser, which
determines groups and attributes by extracting them from the wrapped
identity/access token. Though, we might want to avoid mixing many auth-specific
code into the one User class, as the current code does for Kerberos auth.
> Improve User class for UGI and decouple it from Kerberos
> --------------------------------------------------------
>
> Key: HADOOP-9840
> URL: https://issues.apache.org/jira/browse/HADOOP-9840
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Kai Zheng
> Assignee: Kai Zheng
> Priority: Minor
> Labels: Rhino
> Attachments: HADOOP-9840.patch, HADOOP-9840.patch
>
>
> As discussed in HADOOP-9797, it would be better to improve UGI incrementally.
> Open this JIRA to improve User class to:
> * Make it extensible as a base class, then can have subclasses like
> SimpleUser for Simple authn, KerberosUser for Kerberos authn,
> IdentityTokenUser for TokenAuth (in future), and etc.
> * Decouple it from Kerberos.
> * Refactor UGI class safely, move testing related codes out of it.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
