[
https://issues.apache.org/jira/browse/HADOOP-12333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14705014#comment-14705014
]
john lilley commented on HADOOP-12333:
--------------------------------------
Unless I am missing something, I believe that keytab vs password leakage risk
is similar, at least in Active Directory integrated Hadoop environments. Both
the password and keytab represent the user's keys to the world. Keytab has the
additional property of being stored on disk as opposed to typed in dynamically,
meaning that care must be taken to ensure it cannot be accessed by anyone but
the owner. From what I know, a keytab is per-user, not per-user/service.
But these considerations are somewhat academic for us. Our largest customers
do not allow keytabs to be used because their IT staff do not support it.
> UserGroupInformation method to log in and relogin with password
> ---------------------------------------------------------------
>
> Key: HADOOP-12333
> URL: https://issues.apache.org/jira/browse/HADOOP-12333
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 2.6.0
> Environment: all
> Reporter: john lilley
>
> UserGroupInformation lacks a simple method to login using a password, and
> also makes an important method private. While many people seem to believe
> that kinit should be used for passwords, it is unworkable in many cases (such
> as when software is running as a service).
> Currently to workaround we must do all of this:
> // create a dynamic configuration for the LoginContext
> Map<String,String> krbOptions = new HashMap<String,String>();
> krbOptions.put("doNotPrompt", "false");
> krbOptions.put("useTicketCache", "false");
> krbOptions.put("useKeyTab", "false");
> krbOptions.put("renewTGT", "false");
> AppConfigurationEntry ace = new AppConfigurationEntry(
> KerberosUtil.getKrb5LoginModuleName(),
> LoginModuleControlFlag.REQUIRED,
> krbOptions);
> DynamicConfiguration dynConf = new DynamicConfiguration(
> new AppConfigurationEntry[] {ace});
> // create LoginContext with login callback handler
> LoginContext loginContext =
> newLoginContext(USER_PASSWORD_LOGIN_KERBEROS_CONFIG_NAME,
> null, new LoginHandler(userPrincipal, password), dynConf);
> loginContext.login();
> // get Subject and Principal for logged in user
> Subject loginSubject = loginContext.getSubject();
> Set<Principal> loginPrincipals = loginSubject.getPrincipals();
> if (loginPrincipals.isEmpty()) {
> throw new LoginException("No login principals in loginSubject: " +
> loginSubject);
> }
> String username = loginPrincipals.iterator().next().getName();
> Principal ugiUser = newUser(username, AuthenticationMethod.KERBEROS,
> loginContext);
> // update Hadoop security details
> loginSubject.getPrincipals().add(ugiUser);
> UserGroupInformation loginUser = newUserGroupInformation(loginSubject);
> UserGroupInformation.setLoginUser(loginUser);
> setUGILogin(loginUser, loginContext); // do
> loginUser.setLogin(loginContext)
> loginUser.setAuthenticationMethod(AuthenticationMethod.KERBEROS);
> Note the method setUGILogin() uses reflection to overcome private method that
> we need:
> private static void setUGILogin(UserGroupInformation loginUser, LoginContext
> loginContext)
> throws SecurityException, NoSuchMethodException,
> IllegalArgumentException,
> IllegalAccessException, InvocationTargetException
> {
> Class<UserGroupInformation> cls = UserGroupInformation.class;
> Method mtd = cls.getDeclaredMethod("setLogin", LoginContext.class);
> mtd.setAccessible(true);
> mtd.invoke(loginUser, loginContext);
> }
>
> Finally there is no method reloginFromPassword(). While we can use
> reflection to access the private methods needed for this, it should simply be
> supported.
> PS: I really hope I've just missed something obvious and you can just call me
> an idiot ;-)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
