[jira] [Commented] (MAPREDUCE-7236) HadoopArchiveLogs will use token to create proxy user when kerberos on

Shilun Fan (Jira) Thu, 04 Jan 2024 01:33:36 -0800


    [ 
https://issues.apache.org/jira/browse/MAPREDUCE-7236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17802803#comment-17802803
 ]


Shilun Fan commented on MAPREDUCE-7236:
---------------------------------------

Bulk update: moved all 3.4.0 non-blocker issues, please move back if it is a 
blocker. Retarget 3.5.0.

> HadoopArchiveLogs will use token to create proxy user when kerberos on
> ----------------------------------------------------------------------
>
>                 Key: MAPREDUCE-7236
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-7236
>             Project: Hadoop Map/Reduce
>          Issue Type: Bug
>    Affects Versions: 2.9.2
>            Reporter: Yicong Cai
>            Priority: Major
>
> HadoopArchiveLogsRunner runs in the Yarn Container via DistributedShell.
> The Client of the DistributedShell gets the Token and uses it for the Runner.
> The Runner create ProxyUser via Token, which violates the ProxyUser principle.
> There are two solutions:
> 1. Pass the Keytab to the Runner, login with Keytab and create ProxyUser.
> 2. Run the HadoopArchiveLogs task with HDFS Super User. After the Archive is 
> finished, use chown to modify it to the corresponding user.
> I prefer to use the first way to solve the problem. Any suggestions?



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: mapreduce-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: mapreduce-issues-h...@hadoop.apache.org

[jira] [Commented] (MAPREDUCE-7236) HadoopArchiveLogs will use token to create proxy user when kerberos on

Reply via email to