[jira] [Commented] (HDFS-12284) RBF: Support for Kerberos authentication

Thu, 29 Mar 2018 10:08:20 -0700 

    [ 
https://issues.apache.org/jira/browse/HDFS-12284?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16419403#comment-16419403
 ] 

Daryn Sharp commented on HDFS-12284:
------------------------------------

All due respect, there need to be domain experts reviewing these security and 
ipc changes.  Other than adding service acls (which is really orthogonal to 
"support for kerberos"), I don't think the changes are correct.

The jmx change:  A doAs the current user is a no-op.  It's already the current 
user.  More importantly, if security is enabled and if the ugi is actually the 
remote user (as it should be), it won't have credentials to authenticate to the 
remote service.  Ie. Never going to work.

The remote user ugi will never have kerberos credentials, so 
checkTGTAndReloginFromKeytab is a meaningless no-op.  Aside, the ipc layer will 
already automatically relogin if necessary.  The check tgt is an old hack for 
http calls.

 

The invokeMethod changes are very broken.
 * The ugi is passed in via the one obtained from the RPC server.  That's the 
context the call is currently in.  It's another doAs the current user, like the 
jmx case, which is a no-op.  Even if it wasn't the current user, the doAs is 
still a no-op because the client proxy "locked in" the ugi when it was created. 
 The current ugi is meaningless – unless the router client somehow circumvented 
it.
 * If the "secure" invoke fails, it catches Exception, re-throws if IOE, but 
logs all other exceptions and continues...
 * Regardless of whether security is enabled or not, _it always calls invoke 
again_.

 

> RBF: Support for Kerberos authentication
> ----------------------------------------
>
>                 Key: HDFS-12284
>                 URL: https://issues.apache.org/jira/browse/HDFS-12284
>             Project: Hadoop HDFS
>          Issue Type: Sub-task
>          Components: security
>            Reporter: Zhe Zhang
>            Assignee: Sherwood Zheng
>            Priority: Major
>             Fix For: HDFS-10467
>
>         Attachments: HDFS-12284.000.patch
>
>
> HDFS Router should support Kerberos authentication and issuing / managing 
> HDFS delegation tokens.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to