[jira] [Commented] (HDFS-14668) Support Fuse with Users from multiple Security Realms

Wed, 24 Jul 2019 17:41:45 -0700 


    [ 
https://issues.apache.org/jira/browse/HDFS-14668?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16892308#comment-16892308
 ] 

Sailesh Patel commented on HDFS-14668:
--------------------------------------

Steps to reproduce the issue:


1. Setup 2 MIT KDC with 2 realms USERS.COM.US and SERVICE.COM.US
2. Setup a Cluster with SERVICE.COM.US realm.
3. login to a node as root
4. Ensure krb5.conf 
 a. has default_realm SERVICE.COM.US 
 b. is configured to resolve to both Realms
 
5. kinit as SERVICE.COM.US user/service principal

6. mount hdfs with debug option:
 a. vi /etc/fuse.conf and uncomment the allow
 b. mkdir /tmp/fusetest
 export 
LD_LIBRARY_PATH=/usr/java/jdk1.8.0_181/jre/lib/amd64/server:$LD_LIBRARY_PATH

 export LD_LIBRARY_PATH=<HDFS_location>/lib64:$LD_LIBRARY_PATH


c. umount /tmp/fusetest 
 d. hadoop-fuse-dfs dfs://NN:port /tmp/fusetest -odebug

 

7. Login to the same node as a user ( say testuser)
8. Ensure testuser exists in KDC : USERS.COM.US
9. kinit [email protected]
10. Access the mount point : ls /tmp/fusetest

The error will show:

hdfsBuilderConnect(forceNewInstance=1, nn=hdfs://nameservice1, port=0, 
kerbTicketCachePath=/tmp/krb5cc_0, userName=testuser) error:
LoginException: Unable to obtain password from user
org.apache.hadoop.security.KerberosAuthException: failure to login: for 
principal: root using ticket cache file: /tmp/krb5cc_454 
javax.security.auth.login.LoginException: Unable to obtain password from user

 

> Support Fuse with Users from multiple Security Realms
> -----------------------------------------------------
>
>                 Key: HDFS-14668
>                 URL: https://issues.apache.org/jira/browse/HDFS-14668
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: fuse-dfs
>            Reporter: Sailesh Patel
>            Priority: Minor
>
> Users from non-default  krb5 domain can't use hadoop-fuse.
> There are 2 Realms with kdc. 
>     -one realm is for human users  (USERS.COM.US) 
>     -the other is for service principals.   (SERVICE.COM.US) 
> Cross realm trust is setup.
> In krb5.conf  the default domain  is set to SERVICE.COM.US
> Users within USERS.COM.US Realm are not able to put any files to Fuse mounted 
> location
> The client shows:
>       cp: cannot create regular file ‘/hdfs_mount/tmp/hello_from_fuse.txt’: 
> Input/output error



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to