[
https://issues.apache.org/jira/browse/HADOOP-4656?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12662059#action_12662059
]
Kan Zhang commented on HADOOP-4656:
-----------------------------------
> I propose we change the IPC Client to send the JAAS Subject in the header
> rather than UGI, this will also be compatible with the way we will do
> Kerberos-based authentication via the GSS API.
Just want to clarify that application code doesn't send anything when using
Kerberos. It's all hiding inside the GSS API library. After authentication,
server can query the established GSS context to get client ID as GSSName which
can be converted to a String. So for compatibility, IPC Client doesn't have to
send JAAS Subject in the header. Send a String is fine.
> Add a user to groups mapping service
> -------------------------------------
>
> Key: HADOOP-4656
> URL: https://issues.apache.org/jira/browse/HADOOP-4656
> Project: Hadoop Core
> Issue Type: Improvement
> Components: security
> Affects Versions: 0.19.0
> Reporter: Arun C Murthy
> Assignee: Arun C Murthy
> Attachments: HADOOP-4656_0_20090108.patch
>
>
> Currently the IPC client sends the UGI which contains the user/group
> information for the Server. However this represents the groups for the user
> on the client-end. The more pertinent mapping from user to groups is actually
> the one seen by the Server. Hence the client should only send the user and we
> should add a 'group mapping service' so that the Server can query it for the
> mapping.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
