[
https://issues.apache.org/jira/browse/HDFS-14668?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16892309#comment-16892309
]
Sailesh Patel commented on HDFS-14668:
--------------------------------------
Per my testing a summary of my analysis is:
user kinit as user@domain_x
Fuse receives the user (OS id say 454, without the domain) part when
operations are done on the mount point from OS
Fuse via Java libraries builds the complete user@domain_y using default_domain
from krb5.conf
Fuse then opens the kerberos ticket cache (/tmp/krb5cc_454 ) for the user and
due to mismatch domain_x ( from kinit) and domain_y ( from default_realm) will
fail with error:
hdfsBuilderConnect(forceNewInstance=1, nn=hdfs://nameservice1, port=0,
kerbTicketCachePath=/tmp/krb5cc_454, userName=usertest) error:
LoginException: Unable to obtain password from user
org.apache.hadoop.security.KerberosAuthException: failure to login: for
principal: hdfs using ticket cache file: /tmp/krb5cc_454
javax.security.auth.login.LoginException: Unable to obtain password from user
at
org.apache.hadoop.security.UserGroupInformation.doSubjectLogin(UserGroupInformation.java:1992)
at
org.apache.hadoop.security.UserGroupInformation.getUGIFromTicketCache(UserGroupInformation.java:649)
at
org.apache.hadoop.security.UserGroupInformation.getBestUGI(UserGroupInformation.java:622)
at org.apache.hadoop.fs.FileSystem.newInstance(FileSystem.java:495)
Caused by: javax.security.auth.login.LoginException: Unable to obtain password
from user
at
com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:897)
at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:760)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at
org.apache.hadoop.security.UserGroupInformation$HadoopLoginContext.login(UserGroupInformation.java:2070)
at
org.apache.hadoop.security.UserGroupInformation.doSubjectLogin(UserGroupInformation.java:1982)
... 3 more
fuseNewConnect(usrname=hdfs): Unable to create fs: error code 255
fuseConnect(usrname=hdfs): fuseNewConnect failed with error code 255
fuseConnectAsThreadUid: failed to open a libhdfs connection! error 255.
unique: 4, error: -5 (Input/output error), outsize: 16
Per the error stack:
The default domain is in Java layer called from Krb5LoginModule.java :
https://github.com/frohoff/jdk8u-dev-jdk/blob/da0da73ab82ed714dc5be94acd2f0d00fbdfe2e9/src/share/classes/sun/security/krb5/PrincipalName.java#L155
public PrincipalName(String[] nameParts, int type)
throws IllegalArgumentException, RealmException {
this(type, nameParts, Realm.getDefault()); <=====
}
> Support Fuse with Users from multiple Security Realms
> -----------------------------------------------------
>
> Key: HDFS-14668
> URL: https://issues.apache.org/jira/browse/HDFS-14668
> Project: Hadoop HDFS
> Issue Type: Improvement
> Components: fuse-dfs
> Reporter: Sailesh Patel
> Priority: Minor
>
> Users from non-default krb5 domain can't use hadoop-fuse.
> There are 2 Realms with kdc.
> -one realm is for human users (USERS.COM.US)
> -the other is for service principals. (SERVICE.COM.US)
> Cross realm trust is setup.
> In krb5.conf the default domain is set to SERVICE.COM.US
> Users within USERS.COM.US Realm are not able to put any files to Fuse mounted
> location
> The client shows:
> cp: cannot create regular file ‘/hdfs_mount/tmp/hello_from_fuse.txt’:
> Input/output error
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
