[
https://issues.apache.org/jira/browse/MAPREDUCE-6792?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Santhosh G Nayak updated MAPREDUCE-6792:
----------------------------------------
Attachment: MAPREDUCE-6792.2.patch
[~djp],Thanks for reviewing the patch.
{quote}1. fileOwner.equalsIgnoreCase(currentUser.getUserName()) - I think our
current assumption in hadoop is user name should be case sensitive, so user and
USER are treated as different user. In AzureFS or other similar cloud based FS,
do we change the assumption here especially for domain name? If not, we should
keep case sensitive check here
{quote}
I would suggest the user's full principal name comparison to be case
insensitive for below 2 reasons,
- [rfc4343|https://tools.ietf.org/html/rfc4343], talks about the case
insensitivity of domain names as a standard and in most cases, Kerberos realm
is domain name, in upper-case letters. Quoting the relevant line from
[What-is-a-Kerberos-Principal|http://web.mit.edu/KERBEROS/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html],
{quote} In most cases, your Kerberos realm is your domain name, in upper-case
letters. For example, the machine daffodil.example.com would be in the realm
EXAMPLE.COM.
{quote}
So, to be able to match the file owner {{[email protected]}} coming from
external cloud storage as part of {{FileSystem.getFileStatus()}} to
{{[email protected]}} from {{UserGroupInformation.getUserName()}}, it is
necessary that we use case insensitive comparison.
- In Active Directory(AD) and Azure, the principal names {{[email protected]}}
and {{[email protected]}} are same.
{quote}
2. The exception message include all possible usernames, it could be duplicated
in case login user = real user (in case no proxy user get used). So we should
do a quick check and only log both when login user != real user. Isn't it?
{quote}
Yes, I agree with you. Addressed it in patch #2.
{quote}
3. It would be great if we can figure out some way to add unit test for use
case that we are adding here.
{quote}
Added few unit tests in patch #2 for the use case we are adding.
> Allow user's full principal name as owner of MapReduce staging directory in
> JobSubmissionFiles#JobStagingDir()
> --------------------------------------------------------------------------------------------------------------
>
> Key: MAPREDUCE-6792
> URL: https://issues.apache.org/jira/browse/MAPREDUCE-6792
> Project: Hadoop Map/Reduce
> Issue Type: Improvement
> Components: client
> Reporter: Santhosh G Nayak
> Assignee: Santhosh G Nayak
> Attachments: MAPREDUCE-6792.1.patch, MAPREDUCE-6792.2.patch
>
>
> Background -
> Currently, {{JobSubmissionFiles#JobStagingDir()}} assumes that file owner
> returned as part of {{FileSystem#getFileStatus()}} is always user's short
> principal name, which is true for HDFS. But, some file systems which are HDFS
> compatible like [Azure Data Lake Store (ADLS)
> |https://azure.microsoft.com/en-in/services/data-lake-store/] and work in
> multi tenant environment can have users with same names belonging to
> different domains. For example, {{[email protected]}} and
> {{[email protected]}}. It will be ambiguous, if
> {{FileSystem#getFileStatus()}} returns only the user's short principal name
> (without domain name) as the owner of the file/directory.
> The following code block allows only short user principal name as owner. It
> simply fails saying that ownership on the staging directory is not as
> expected, if owner returned by the {{FileStatus#getOwner()}} is not equal to
> short principal name of the current user.
> {code}
> String realUser;
> String currentUser;
> UserGroupInformation ugi = UserGroupInformation.getLoginUser();
> realUser = ugi.getShortUserName();
> currentUser = UserGroupInformation.getCurrentUser().getShortUserName();
> if (fs.exists(stagingArea)) {
> FileStatus fsStatus = fs.getFileStatus(stagingArea);
> String owner = fsStatus.getOwner();
> if (!(owner.equals(currentUser) || owner.equals(realUser))) {
> throw new IOException("The ownership on the staging directory " +
> stagingArea + " is not as expected. " +
> "It is owned by " + owner + ". The directory must " +
> "be owned by the submitter " + currentUser + " or " +
> "by " + realUser);
> }
> {code}
> The proposal is to remove the strict restriction on short principal name by
> allowing the user's full principal name as owner of staging area directory in
> {{JobSubmissionFiles#JobStagingDir()}}.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
