[
https://issues.apache.org/jira/browse/HDFS-3568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13408502#comment-13408502
]
Aaron T. Myers commented on HDFS-3568:
--------------------------------------
The latest patch looks pretty good to me. In addition to examining the code, I
also tested it manually and confirmed that it largely works as expected, save
for one thing which I think we should address in a follow-up JIRA.
I noticed during my testing that if one kinits as some principal "foo" and then
does some operation on fuse_dfs, then kdestroy and kinit as some principal
"bar", subsequent operations done via fuse_dfs will still use cached
credentials for "foo". The reason for this is that fuse_dfs caches Filesystem
instances using the UID of the user running the command as the key into the
cache. I think this isn't a big deal, though, since it's pretty uncommon for a
single user to want to use credentials for several different principals on the
same box.
Colin, if you agree, would you mind filing a follow-up JIRA for the above issue?
Two small comments with the current patch, +1 once these are addressed:
# In the following code, I think you might also want to assert that
loginPrincipals.size() == 1, and at least log a WARN if it's > 1:
{code}
+ Set<Principal> loginPrincipals = loginSubject.getPrincipals();
+ if (loginPrincipals.isEmpty()) {
+ throw new RuntimeException("No login principals found!");
+ }
+ User ugiUser = new User(loginPrincipals.iterator().next().getName(),
+ AuthenticationMethod.KERBEROS, login);
{code}
# I think we should change the config key "kerberos.ticket.cache.path" to
"hadoop.security.kerberos.ticket.cache.path", to be more inline with the other
security configs.
> fuse_dfs: add support for security
> ----------------------------------
>
> Key: HDFS-3568
> URL: https://issues.apache.org/jira/browse/HDFS-3568
> Project: Hadoop HDFS
> Issue Type: Improvement
> Affects Versions: 1.0.0, 2.0.0-alpha
> Reporter: Colin Patrick McCabe
> Assignee: Colin Patrick McCabe
> Fix For: 1.1.0, 2.0.1-alpha
>
> Attachments: HDFS-3568.001.patch, HDFS-3568.002.patch
>
>
> fuse_dfs should have support for Kerberos authentication. This would allow
> FUSE to be used in a secure cluster.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
