[
https://issues.apache.org/jira/browse/OOZIE-2697?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Peter Bacsko updated OOZIE-2697:
--------------------------------
Description:
We need to implement proper method calls on {{UserGroupInformation}} that works
on secure and non-secure clusters as well.
Invoking {{UserGroupInformation.doAs()}} is crucial to avoid authentication
problems with HDFS and other parts of Hadoop.
What's not trivial is how to get an instance of UGI. The current solution is
the following and it works, but might not be the best:
{code}
// Note: submitterUser is passed with -D to LauncherAM as a JVM system
property.
if
(UserGroupInformation.getLoginUser().getShortUserName().equals(submitterUser)) {
System.out.println("Using login user for UGI");
ugi = UserGroupInformation.getLoginUser();
} else {
ugi = UserGroupInformation.createRemoteUser(submitterUser);
ugi.addCredentials(UserGroupInformation.getLoginUser().getCredentials());
}
{code}
I tried to invoke only {{createRemoteUser()}} in different ways, but in a
Kerberized cluster, it didn't work. We have to evaluate this approach.
was:
We need to implement proper method calls on {{UserGroupInformation}} that works
on secure and non-secure clusters as well.
Invoking {{UserGroupInformation.doAs()}} is crucial to avoid authentication
problems with HDFS and other parts of Hadoop.
What's not trivial is how to get an instance of UGI. The current solution is
the following and it works, but might not be the best:
{code}
if
(UserGroupInformation.getLoginUser().getShortUserName().equals(submitterUser)) {
System.out.println("Using login user for UGI");
ugi = UserGroupInformation.getLoginUser();
} else {
ugi = UserGroupInformation.createRemoteUser(submitterUser);
ugi.addCredentials(UserGroupInformation.getLoginUser().getCredentials());
}
{code}
I tried to invoke only {{createRemoteUser()}} in different ways, but in a
Kerberized cluster, it didn't work. We have to evaluate this approach.
> Implement proper UGI calls in LauncherAM for secure/non-secure clusters
> -----------------------------------------------------------------------
>
> Key: OOZIE-2697
> URL: https://issues.apache.org/jira/browse/OOZIE-2697
> Project: Oozie
> Issue Type: Sub-task
> Reporter: Peter Bacsko
> Assignee: Peter Bacsko
>
> We need to implement proper method calls on {{UserGroupInformation}} that
> works on secure and non-secure clusters as well.
> Invoking {{UserGroupInformation.doAs()}} is crucial to avoid authentication
> problems with HDFS and other parts of Hadoop.
> What's not trivial is how to get an instance of UGI. The current solution is
> the following and it works, but might not be the best:
> {code}
> // Note: submitterUser is passed with -D to LauncherAM as a JVM
> system property.
> if
> (UserGroupInformation.getLoginUser().getShortUserName().equals(submitterUser))
> {
> System.out.println("Using login user for UGI");
> ugi = UserGroupInformation.getLoginUser();
> } else {
> ugi = UserGroupInformation.createRemoteUser(submitterUser);
>
> ugi.addCredentials(UserGroupInformation.getLoginUser().getCredentials());
> }
> {code}
> I tried to invoke only {{createRemoteUser()}} in different ways, but in a
> Kerberized cluster, it didn't work. We have to evaluate this approach.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
