[jira] [Commented] (HADOOP-9797) Pluggable and compatible UGI change

2013-10-29 Thread Kai Zheng (JIRA) 

[ 
https://issues.apache.org/jira/browse/HADOOP-9797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13808656#comment-13808656
 ] 

Kai Zheng commented on HADOOP-9797:
---

Hi Larry,

Thanks for taking care of this. You're right you found a coding error in 
getJaasLoginConfiguration(). The code was obsolete when introduced 
HadoopLoginFactory, and I should have removed the dead code. Thanks anyway.

Sure to simply add the TokenAuthn method, we don't have to need this, as can be 
seen in HADOOP-9804. I'm probably running this for the long term trying various 
possible enhancements with incremental patches.

 Pluggable and compatible UGI change
 ---

 Key: HADOOP-9797
 URL: https://issues.apache.org/jira/browse/HADOOP-9797
 Project: Hadoop Common
  Issue Type: Sub-task
  Components: security
Reporter: Kai Zheng
Assignee: Kai Zheng
  Labels: Rhino
 Fix For: 3.0.0

 Attachments: HADOOP-9797-v1.patch, HADOOP-9797-v2.patch, 
 HADOOP-9797-v3.patch, Pluggable and Compatible UGI Change.pdf


 As already widely discussed current UGI related classes needs to be improved 
 in many aspects. This is to improve and make UGI so that it can be: 
  
 * Pluggable, new authentication method with its login module can be 
 dynamically registered and plugged without having to change the UGI class;
 * Extensible, login modules with their options can be dynamically extended 
 and customized so that can be reusable elsewhere, like in TokenAuth;
  
 * No Kerberos relevant, remove any Kerberos relevant functionalities out of 
 it to make it simple and suitable for other login mechanisms; 
 * Of appropriate abstraction and API, with improved abstraction and API it’s 
 possible to allow authentication implementations not using JAAS modules;
 * Compatible, should be compatible with previous deployment and 
 authentication methods, so the existing APIs won’t be removed and some of 
 them are just to be deprecated.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

[jira] [Commented] (HADOOP-9797) Pluggable and compatible UGI change

2013-10-28 Thread Larry McCay (JIRA) 

[ 
https://issues.apache.org/jira/browse/HADOOP-9797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13807188#comment-13807188
 ] 

Larry McCay commented on HADOOP-9797:
-

Hello Kai - I've spent some more time reviewing this patch and have found what 
I believe to be a bug in the HadoopLoginManager.
In addition, I would like to discuss how we might be able to make progress with 
a pluggable authentication mechanism without such a large change to UGI. 

I fear that this change introduces a lot of risk to existing usage by both the 
Hadoop infrastructure itself and to unknown clients from end users and third 
party ecosystem usage.

If we can come up with a less intrusive change, I think that would be easier to 
move forward.
What would you consider the least amount of change that would make plugging in 
(or maybe just adding) token auth possible?

Anyway, the following code snippet seems like it may be wrong to me:

+  /**
+   * Get and return Jaas login configuration, as convenient method for Jaas 
login
+   */
+  public static JaasLoginConfiguration getJaasLoginConfiguration(String 
confName) {
+HadoopLoginConfiguration hlc = createLoginConfiguration(confName);
+
+if (hlc != null) {
+  return null;
+}
+
+if (! (hlc instanceof JaasLoginConfiguration) ) {
+  throw new IllegalArgumentException(Not JAAS configuration:  + 
confName);
+}
+JaasLoginConfiguration jlc = (JaasLoginConfiguration) hlc;
+return (JaasLoginConfiguration) jlc;
+  }
+}

 Pluggable and compatible UGI change
 ---

 Key: HADOOP-9797
 URL: https://issues.apache.org/jira/browse/HADOOP-9797
 Project: Hadoop Common
  Issue Type: Sub-task
  Components: security
Reporter: Kai Zheng
Assignee: Kai Zheng
  Labels: Rhino
 Fix For: 3.0.0

 Attachments: HADOOP-9797-v1.patch, HADOOP-9797-v2.patch, 
 HADOOP-9797-v3.patch, Pluggable and Compatible UGI Change.pdf


 As already widely discussed current UGI related classes needs to be improved 
 in many aspects. This is to improve and make UGI so that it can be: 
  
 * Pluggable, new authentication method with its login module can be 
 dynamically registered and plugged without having to change the UGI class;
 * Extensible, login modules with their options can be dynamically extended 
 and customized so that can be reusable elsewhere, like in TokenAuth;
  
 * No Kerberos relevant, remove any Kerberos relevant functionalities out of 
 it to make it simple and suitable for other login mechanisms; 
 * Of appropriate abstraction and API, with improved abstraction and API it’s 
 possible to allow authentication implementations not using JAAS modules;
 * Compatible, should be compatible with previous deployment and 
 authentication methods, so the existing APIs won’t be removed and some of 
 them are just to be deprecated.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

[jira] [Commented] (HADOOP-9797) Pluggable and compatible UGI change

2013-09-10 Thread Kai Zheng (JIRA) 

[ 
https://issues.apache.org/jira/browse/HADOOP-9797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13763671#comment-13763671
 ] 

Kai Zheng commented on HADOOP-9797:
---

HADOOP-9942 and HADOOP-9943 were opened to allow unit tests for this UGI change 
using MiniKdc.

 Pluggable and compatible UGI change
 ---

 Key: HADOOP-9797
 URL: https://issues.apache.org/jira/browse/HADOOP-9797
 Project: Hadoop Common
  Issue Type: Sub-task
  Components: security
Reporter: Kai Zheng
Assignee: Kai Zheng
  Labels: Rhino
 Fix For: 3.0.0

 Attachments: HADOOP-9797-v1.patch, Pluggable and Compatible UGI 
 Change.pdf


 As already widely discussed current UGI related classes needs to be improved 
 in many aspects. This is to improve and make UGI so that it can be: 
  
 * Pluggable, new authentication method with its login module can be 
 dynamically registered and plugged without having to change the UGI class;
 * Extensible, login modules with their options can be dynamically extended 
 and customized so that can be reusable elsewhere, like in TokenAuth;
  
 * No Kerberos relevant, remove any Kerberos relevant functionalities out of 
 it to make it simple and suitable for other login mechanisms; 
 * Of appropriate abstraction and API, with improved abstraction and API it’s 
 possible to allow authentication implementations not using JAAS modules;
 * Compatible, should be compatible with previous deployment and 
 authentication methods, so the existing APIs won’t be removed and some of 
 them are just to be deprecated.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (HADOOP-9797) Pluggable and compatible UGI change

2013-09-02 Thread Kai Zheng (JIRA) 

[ 
https://issues.apache.org/jira/browse/HADOOP-9797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13755963#comment-13755963
 ] 

Kai Zheng commented on HADOOP-9797:
---

Larry  Dilli,

This UGI change desires to be both pluggable and compatible. To be pluggable, 
it sure needs to be modular first and this requires removing the relevant 
global static variables in the UGI class. On the other hand to be compatible, 
as stated in the JIRA description and Dilli suggested, the static public 
methods in the UGI class will remain and are to be just deprecated since 
they’re part of the API. Sure this focuses on pluggable, removing statics is 
more like a side effect. I would keep the support of multiple clusters in mind 
in the design and implementation, though.


 Pluggable and compatible UGI change
 ---

 Key: HADOOP-9797
 URL: https://issues.apache.org/jira/browse/HADOOP-9797
 Project: Hadoop Common
  Issue Type: Sub-task
  Components: security
Reporter: Kai Zheng
Assignee: Kai Zheng
  Labels: Rhino
 Fix For: 3.0.0

 Attachments: HADOOP-9797-v1.patch


 As already widely discussed current UGI related classes needs to be improved 
 in many aspects. This is to improve and make UGI so that it can be: 
  
 * Pluggable, new authentication method with its login module can be 
 dynamically registered and plugged without having to change the UGI class;
 * Extensible, login modules with their options can be dynamically extended 
 and customized so that can be reusable elsewhere, like in TokenAuth;
  
 * No Kerberos relevant, remove any Kerberos relevant functionalities out of 
 it to make it simple and suitable for other login mechanisms; 
 * Of appropriate abstraction and API, with improved abstraction and API it’s 
 possible to allow authentication implementations not using JAAS modules;
 * Compatible, should be compatible with previous deployment and 
 authentication methods, so the existing APIs won’t be removed and some of 
 them are just to be deprecated.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (HADOOP-9797) Pluggable and compatible UGI change

2013-08-22 Thread Larry McCay (JIRA) 

[ 
https://issues.apache.org/jira/browse/HADOOP-9797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13748145#comment-13748145
 ] 

Larry McCay commented on HADOOP-9797:
-

In fact, we have to be really careful about changing the client facing APIs. 
For instance, clients - including third parties - leverage static 
loginUserFromKeyTab methods. It is difficult to impossible to know all the 
consumers of those APIs. So anyway, that is just a heads-up.

 Pluggable and compatible UGI change
 ---

 Key: HADOOP-9797
 URL: https://issues.apache.org/jira/browse/HADOOP-9797
 Project: Hadoop Common
  Issue Type: Sub-task
  Components: security
Reporter: Kai Zheng
Assignee: Kai Zheng
  Labels: Rhino
 Fix For: 3.0.0

 Attachments: HADOOP-9797-v1.patch


 As already widely discussed current UGI related classes needs to be improved 
 in many aspects. This is to improve and make UGI so that it can be: 
  
 * Pluggable, new authentication method with its login module can be 
 dynamically registered and plugged without having to change the UGI class;
 * Extensible, login modules with their options can be dynamically extended 
 and customized so that can be reusable elsewhere, like in TokenAuth;
  
 * No Kerberos relevant, remove any Kerberos relevant functionalities out of 
 it to make it simple and suitable for other login mechanisms; 
 * Of appropriate abstraction and API, with improved abstraction and API it’s 
 possible to allow authentication implementations not using JAAS modules;
 * Compatible, should be compatible with previous deployment and 
 authentication methods, so the existing APIs won’t be removed and some of 
 them are just to be deprecated.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (HADOOP-9797) Pluggable and compatible UGI change

2013-08-22 Thread Dilli Arumugam (JIRA) 

[ 
https://issues.apache.org/jira/browse/HADOOP-9797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13748151#comment-13748151
 ] 

Dilli Arumugam commented on HADOOP-9797:


May be the static methods of UserGroupInformation should be marked deprecated 
in this patch.
May be they should be marked deprecated independent of this patch.

 Pluggable and compatible UGI change
 ---

 Key: HADOOP-9797
 URL: https://issues.apache.org/jira/browse/HADOOP-9797
 Project: Hadoop Common
  Issue Type: Sub-task
  Components: security
Reporter: Kai Zheng
Assignee: Kai Zheng
  Labels: Rhino
 Fix For: 3.0.0

 Attachments: HADOOP-9797-v1.patch


 As already widely discussed current UGI related classes needs to be improved 
 in many aspects. This is to improve and make UGI so that it can be: 
  
 * Pluggable, new authentication method with its login module can be 
 dynamically registered and plugged without having to change the UGI class;
 * Extensible, login modules with their options can be dynamically extended 
 and customized so that can be reusable elsewhere, like in TokenAuth;
  
 * No Kerberos relevant, remove any Kerberos relevant functionalities out of 
 it to make it simple and suitable for other login mechanisms; 
 * Of appropriate abstraction and API, with improved abstraction and API it’s 
 possible to allow authentication implementations not using JAAS modules;
 * Compatible, should be compatible with previous deployment and 
 authentication methods, so the existing APIs won’t be removed and some of 
 them are just to be deprecated.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (HADOOP-9797) Pluggable and compatible UGI change

2013-08-21 Thread Kai Zheng (JIRA) 

[ 
https://issues.apache.org/jira/browse/HADOOP-9797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13746709#comment-13746709
 ] 

Kai Zheng commented on HADOOP-9797:
---

Hi Sanjay,

bq. Having read the patch, I agree with Daryn, can you split this jira into 
smaller ones and submit some updated patches please.
Yes it's going. HADOOP-9840 and HADOOP-9841 were opened and two incremental 
patches were attached. I'm working on the left part and subsequent ones will be 
coming. Would you help review them and provide your inputs then. Thanks.

bq. can you please add a comment on what you will be testing beyond the unit 
tests.
Sure. I am working with our QA engineers on testing both Simple and Kerberos 
cases, covering HDFS for the initial patch. As you suggested, we will also add 
more tests covering YARN component and trusted proxy case when submitting 
related patches. Any other testing scenario that you would like to see?


 Pluggable and compatible UGI change
 ---

 Key: HADOOP-9797
 URL: https://issues.apache.org/jira/browse/HADOOP-9797
 Project: Hadoop Common
  Issue Type: Sub-task
  Components: security
Reporter: Kai Zheng
Assignee: Kai Zheng
  Labels: Rhino
 Fix For: 3.0.0

 Attachments: HADOOP-9797-v1.patch


 As already widely discussed current UGI related classes needs to be improved 
 in many aspects. This is to improve and make UGI so that it can be: 
  
 * Pluggable, new authentication method with its login module can be 
 dynamically registered and plugged without having to change the UGI class;
 * Extensible, login modules with their options can be dynamically extended 
 and customized so that can be reusable elsewhere, like in TokenAuth;
  
 * No Kerberos relevant, remove any Kerberos relevant functionalities out of 
 it to make it simple and suitable for other login mechanisms; 
 * Of appropriate abstraction and API, with improved abstraction and API it’s 
 possible to allow authentication implementations not using JAAS modules;
 * Compatible, should be compatible with previous deployment and 
 authentication methods, so the existing APIs won’t be removed and some of 
 them are just to be deprecated.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (HADOOP-9797) Pluggable and compatible UGI change

2013-08-21 Thread Kai Zheng (JIRA) 

[ 
https://issues.apache.org/jira/browse/HADOOP-9797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13746721#comment-13746721
 ] 

Kai Zheng commented on HADOOP-9797:
---

Hi Lars,

bq. is there any chance to do away with all of the static members and methods 
on UGI
Yes it’s possible. We’re working on incremental patches and in them getting rid 
of global and static stuffs is considered.
bq. the same JVM we need to connect to some kerberos secured and some unsecured 
clusters.
Good idea! This provides another strong case to validate the change to support 
multiple clusters for client. The change will ensure to use fresh UGI and its 
internals after cluster switching, beside this, any security concerns do you 
have? If any what kind of convenient support the UGI library can provide?

 Pluggable and compatible UGI change
 ---

 Key: HADOOP-9797
 URL: https://issues.apache.org/jira/browse/HADOOP-9797
 Project: Hadoop Common
  Issue Type: Sub-task
  Components: security
Reporter: Kai Zheng
Assignee: Kai Zheng
  Labels: Rhino
 Fix For: 3.0.0

 Attachments: HADOOP-9797-v1.patch


 As already widely discussed current UGI related classes needs to be improved 
 in many aspects. This is to improve and make UGI so that it can be: 
  
 * Pluggable, new authentication method with its login module can be 
 dynamically registered and plugged without having to change the UGI class;
 * Extensible, login modules with their options can be dynamically extended 
 and customized so that can be reusable elsewhere, like in TokenAuth;
  
 * No Kerberos relevant, remove any Kerberos relevant functionalities out of 
 it to make it simple and suitable for other login mechanisms; 
 * Of appropriate abstraction and API, with improved abstraction and API it’s 
 possible to allow authentication implementations not using JAAS modules;
 * Compatible, should be compatible with previous deployment and 
 authentication methods, so the existing APIs won’t be removed and some of 
 them are just to be deprecated.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (HADOOP-9797) Pluggable and compatible UGI change

2013-08-21 Thread Larry McCay (JIRA) 

[ 
https://issues.apache.org/jira/browse/HADOOP-9797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13746740#comment-13746740
 ] 

Larry McCay commented on HADOOP-9797:
-

I would suggest keeping the refactoring of statics and the like as a
separate effort. Don't mix it with the pluggability work which is complex
enough. Not that it shouldn't be done - just make it a separate issue.





 Pluggable and compatible UGI change
 ---

 Key: HADOOP-9797
 URL: https://issues.apache.org/jira/browse/HADOOP-9797
 Project: Hadoop Common
  Issue Type: Sub-task
  Components: security
Reporter: Kai Zheng
Assignee: Kai Zheng
  Labels: Rhino
 Fix For: 3.0.0

 Attachments: HADOOP-9797-v1.patch


 As already widely discussed current UGI related classes needs to be improved 
 in many aspects. This is to improve and make UGI so that it can be: 
  
 * Pluggable, new authentication method with its login module can be 
 dynamically registered and plugged without having to change the UGI class;
 * Extensible, login modules with their options can be dynamically extended 
 and customized so that can be reusable elsewhere, like in TokenAuth;
  
 * No Kerberos relevant, remove any Kerberos relevant functionalities out of 
 it to make it simple and suitable for other login mechanisms; 
 * Of appropriate abstraction and API, with improved abstraction and API it’s 
 possible to allow authentication implementations not using JAAS modules;
 * Compatible, should be compatible with previous deployment and 
 authentication methods, so the existing APIs won’t be removed and some of 
 them are just to be deprecated.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (HADOOP-9797) Pluggable and compatible UGI change

2013-08-14 Thread Lars Hofhansl (JIRA) 

[ 
https://issues.apache.org/jira/browse/HADOOP-9797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13740654#comment-13740654
 ] 

Lars Hofhansl commented on HADOOP-9797:
---

While we are at it, is there any chance to do away with all of the static 
members and methods on UGI (loginUser is still static)?
We ran into a problem were from the same JVM we need to connect to some 
kerberos secured and some unsecured clusters. That is currently not possible.


 Pluggable and compatible UGI change
 ---

 Key: HADOOP-9797
 URL: https://issues.apache.org/jira/browse/HADOOP-9797
 Project: Hadoop Common
  Issue Type: Sub-task
  Components: security
Reporter: Kai Zheng
Assignee: Kai Zheng
  Labels: Rhino
 Fix For: 3.0.0

 Attachments: HADOOP-9797-v1.patch


 As already widely discussed current UGI related classes needs to be improved 
 in many aspects. This is to improve and make UGI so that it can be: 
  
 * Pluggable, new authentication method with its login module can be 
 dynamically registered and plugged without having to change the UGI class;
 * Extensible, login modules with their options can be dynamically extended 
 and customized so that can be reusable elsewhere, like in TokenAuth;
  
 * No Kerberos relevant, remove any Kerberos relevant functionalities out of 
 it to make it simple and suitable for other login mechanisms; 
 * Of appropriate abstraction and API, with improved abstraction and API it’s 
 possible to allow authentication implementations not using JAAS modules;
 * Compatible, should be compatible with previous deployment and 
 authentication methods, so the existing APIs won’t be removed and some of 
 them are just to be deprecated.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (HADOOP-9797) Pluggable and compatible UGI change

2013-08-09 Thread Sanjay Radia (JIRA) 

[ 
https://issues.apache.org/jira/browse/HADOOP-9797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13735045#comment-13735045
 ] 

Sanjay Radia commented on HADOOP-9797:
--

[~daryn]
bq. but a change this large might need to be decomposed into incremental steps.

 Pluggable and compatible UGI change
 ---

 Key: HADOOP-9797
 URL: https://issues.apache.org/jira/browse/HADOOP-9797
 Project: Hadoop Common
  Issue Type: Sub-task
  Components: security
Reporter: Kai Zheng
Assignee: Kai Zheng
  Labels: Rhino
 Fix For: 3.0.0

 Attachments: HADOOP-9797-v1.patch


 As already widely discussed current UGI related classes needs to be improved 
 in many aspects. This is to improve and make UGI so that it can be: 
  
 * Pluggable, new authentication method with its login module can be 
 dynamically registered and plugged without having to change the UGI class;
 * Extensible, login modules with their options can be dynamically extended 
 and customized so that can be reusable elsewhere, like in TokenAuth;
  
 * No Kerberos relevant, remove any Kerberos relevant functionalities out of 
 it to make it simple and suitable for other login mechanisms; 
 * Of appropriate abstraction and API, with improved abstraction and API it’s 
 possible to allow authentication implementations not using JAAS modules;
 * Compatible, should be compatible with previous deployment and 
 authentication methods, so the existing APIs won’t be removed and some of 
 them are just to be deprecated.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (HADOOP-9797) Pluggable and compatible UGI change

2013-08-09 Thread Sanjay Radia (JIRA) 

[ 
https://issues.apache.org/jira/browse/HADOOP-9797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13735050#comment-13735050
 ] 

Sanjay Radia commented on HADOOP-9797:
--

OOps hit add by mistake.
[~daryn]
bq. but a change this large might need to be decomposed into incremental steps.
Having read the patch, I agree with Daryn, can you split this jira into smaller 
ones and submit some updated patches please.

 Pluggable and compatible UGI change
 ---

 Key: HADOOP-9797
 URL: https://issues.apache.org/jira/browse/HADOOP-9797
 Project: Hadoop Common
  Issue Type: Sub-task
  Components: security
Reporter: Kai Zheng
Assignee: Kai Zheng
  Labels: Rhino
 Fix For: 3.0.0

 Attachments: HADOOP-9797-v1.patch


 As already widely discussed current UGI related classes needs to be improved 
 in many aspects. This is to improve and make UGI so that it can be: 
  
 * Pluggable, new authentication method with its login module can be 
 dynamically registered and plugged without having to change the UGI class;
 * Extensible, login modules with their options can be dynamically extended 
 and customized so that can be reusable elsewhere, like in TokenAuth;
  
 * No Kerberos relevant, remove any Kerberos relevant functionalities out of 
 it to make it simple and suitable for other login mechanisms; 
 * Of appropriate abstraction and API, with improved abstraction and API it’s 
 possible to allow authentication implementations not using JAAS modules;
 * Compatible, should be compatible with previous deployment and 
 authentication methods, so the existing APIs won’t be removed and some of 
 them are just to be deprecated.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (HADOOP-9797) Pluggable and compatible UGI change

2013-08-09 Thread Sanjay Radia (JIRA) 

[ 
https://issues.apache.org/jira/browse/HADOOP-9797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13735218#comment-13735218
 ] 

Sanjay Radia commented on HADOOP-9797:
--

Given that this jira is going change a key part of the code, can you please add 
a comment on what you will be testing beyond the unit tests. For security, we 
have relied on a fair amount of manual testing. You should test the classic 
kerberos case for both HDFS and MR, aloog with a trusted proxy (say OOzie). 

 Pluggable and compatible UGI change
 ---

 Key: HADOOP-9797
 URL: https://issues.apache.org/jira/browse/HADOOP-9797
 Project: Hadoop Common
  Issue Type: Sub-task
  Components: security
Reporter: Kai Zheng
Assignee: Kai Zheng
  Labels: Rhino
 Fix For: 3.0.0

 Attachments: HADOOP-9797-v1.patch


 As already widely discussed current UGI related classes needs to be improved 
 in many aspects. This is to improve and make UGI so that it can be: 
  
 * Pluggable, new authentication method with its login module can be 
 dynamically registered and plugged without having to change the UGI class;
 * Extensible, login modules with their options can be dynamically extended 
 and customized so that can be reusable elsewhere, like in TokenAuth;
  
 * No Kerberos relevant, remove any Kerberos relevant functionalities out of 
 it to make it simple and suitable for other login mechanisms; 
 * Of appropriate abstraction and API, with improved abstraction and API it’s 
 possible to allow authentication implementations not using JAAS modules;
 * Compatible, should be compatible with previous deployment and 
 authentication methods, so the existing APIs won’t be removed and some of 
 them are just to be deprecated.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (HADOOP-9797) Pluggable and compatible UGI change

2013-08-07 Thread Kai Zheng (JIRA) 

[ 
https://issues.apache.org/jira/browse/HADOOP-9797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13731814#comment-13731814
 ] 

Kai Zheng commented on HADOOP-9797:
---

bq.Along the same lines as HADOOP-9840, this is further locking in a client 
having one and only one identity.
Please see my response on HADOOP-9840, it should still allow for support of 
multiple identities.

bq.I've often considered having subclasses of UGI that were login-type specific.
Good to hear. In the initial patch it comes up LiteUGI and various subclasses 
of it are login-type specific. I will resolve some concerns like naming issues 
and provide another patch based on existing ones.
bq.a client UGI should do JAAS login on-demand for a given AuthMethod.
Quite agree. It's particularly useful for token authn client which is 
instructed by server to use specific authn mechanisms and JAAS login modules 
dynamically. That's also the primary goal for this issue although we should 
approach it incrementally as you suggested.

 Pluggable and compatible UGI change
 ---

 Key: HADOOP-9797
 URL: https://issues.apache.org/jira/browse/HADOOP-9797
 Project: Hadoop Common
  Issue Type: Sub-task
  Components: security
Reporter: Kai Zheng
Assignee: Kai Zheng
  Labels: Rhino
 Fix For: 3.0.0

 Attachments: HADOOP-9797-v1.patch


 As already widely discussed current UGI related classes needs to be improved 
 in many aspects. This is to improve and make UGI so that it can be: 
  
 * Pluggable, new authentication method with its login module can be 
 dynamically registered and plugged without having to change the UGI class;
 * Extensible, login modules with their options can be dynamically extended 
 and customized so that can be reusable elsewhere, like in TokenAuth;
  
 * No Kerberos relevant, remove any Kerberos relevant functionalities out of 
 it to make it simple and suitable for other login mechanisms; 
 * Of appropriate abstraction and API, with improved abstraction and API it’s 
 possible to allow authentication implementations not using JAAS modules;
 * Compatible, should be compatible with previous deployment and 
 authentication methods, so the existing APIs won’t be removed and some of 
 them are just to be deprecated.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (HADOOP-9797) Pluggable and compatible UGI change

2013-08-06 Thread Daryn Sharp (JIRA) 

[ 
https://issues.apache.org/jira/browse/HADOOP-9797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13730826#comment-13730826
 ] 

Daryn Sharp commented on HADOOP-9797:
-

Along the same lines as HADOOP-9840, this is further locking in a client having 
one and only one identity.

I've often considered having subclasses of UGI that were login-type specific.  
Owen had concerns that this was once tried and failed but I thought I could 
make it work.  Now that there's these alternate login methods coming, there's a 
problem if the user has a TGT - it's authMethod KERBEROS but then accesses a 
service requiring HSSO/TokenAuth.  The UGI must simultaneously support both.

My general thinking from before the summit has been a client UGI should do JAAS 
login on-demand for a given AuthMethod.  A few examples are only trigger 
kerberos auth if a web service wants spnego or SASL service wants GSSAPI.  
Being on the 2.1 critical path has prevented me from having the time to flesh 
out how that may be accomplished...

 Pluggable and compatible UGI change
 ---

 Key: HADOOP-9797
 URL: https://issues.apache.org/jira/browse/HADOOP-9797
 Project: Hadoop Common
  Issue Type: Sub-task
  Components: security
Reporter: Kai Zheng
Assignee: Kai Zheng
  Labels: Rhino
 Fix For: 3.0.0

 Attachments: HADOOP-9797-v1.patch


 As already widely discussed current UGI related classes needs to be improved 
 in many aspects. This is to improve and make UGI so that it can be: 
  
 * Pluggable, new authentication method with its login module can be 
 dynamically registered and plugged without having to change the UGI class;
 * Extensible, login modules with their options can be dynamically extended 
 and customized so that can be reusable elsewhere, like in TokenAuth;
  
 * No Kerberos relevant, remove any Kerberos relevant functionalities out of 
 it to make it simple and suitable for other login mechanisms; 
 * Of appropriate abstraction and API, with improved abstraction and API it’s 
 possible to allow authentication implementations not using JAAS modules;
 * Compatible, should be compatible with previous deployment and 
 authentication methods, so the existing APIs won’t be removed and some of 
 them are just to be deprecated.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (HADOOP-9797) Pluggable and compatible UGI change

2013-08-01 Thread Kai Zheng (JIRA) 

[ 
https://issues.apache.org/jira/browse/HADOOP-9797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13726231#comment-13726231
 ] 

Kai Zheng commented on HADOOP-9797:
---

Larry,

Thanks for your comments.
 
1. If you have any suggestions for another term to distinguish the difference, 
perhaps we could discuss it on the TokenAuth related JIRA, HADOOP-9804 Hadoop 
RPC TokenAuthn method.

2.  3. Regarding LiteUGI, let me think of a better name for it with the next 
drop.

 Pluggable and compatible UGI change
 ---

 Key: HADOOP-9797
 URL: https://issues.apache.org/jira/browse/HADOOP-9797
 Project: Hadoop Common
  Issue Type: Sub-task
  Components: security
Reporter: Kai Zheng
Assignee: Kai Zheng
  Labels: rhino
 Fix For: 3.0.0

 Attachments: HADOOP-9797-v1.patch


 As already widely discussed current UGI related classes needs to be improved 
 in many aspects. This is to improve and make UGI so that it can be: 
  
 * Pluggable, new authentication method with its login module can be 
 dynamically registered and plugged without having to change the UGI class;
 * Extensible, login modules with their options can be dynamically extended 
 and customized so that can be reusable elsewhere, like in TokenAuth;
  
 * No Kerberos relevant, remove any Kerberos relevant functionalities out of 
 it to make it simple and suitable for other login mechanisms; 
 * Of appropriate abstraction and API, with improved abstraction and API it’s 
 possible to allow authentication implementations not using JAAS modules;
 * Compatible, should be compatible with previous deployment and 
 authentication methods, so the existing APIs won’t be removed and some of 
 them are just to be deprecated.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (HADOOP-9797) Pluggable and compatible UGI change

2013-08-01 Thread Larry McCay (JIRA) 

[ 
https://issues.apache.org/jira/browse/HADOOP-9797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13726462#comment-13726462
 ] 

Larry McCay commented on HADOOP-9797:
-

Sounds good, Kai.

Regarding #23 - I think we should consider the interface, abstract base class 
and interface being returned through the methods instead of the abstract class. 
I don't really think it is just a naming issue.

 Pluggable and compatible UGI change
 ---

 Key: HADOOP-9797
 URL: https://issues.apache.org/jira/browse/HADOOP-9797
 Project: Hadoop Common
  Issue Type: Sub-task
  Components: security
Reporter: Kai Zheng
Assignee: Kai Zheng
  Labels: rhino
 Fix For: 3.0.0

 Attachments: HADOOP-9797-v1.patch


 As already widely discussed current UGI related classes needs to be improved 
 in many aspects. This is to improve and make UGI so that it can be: 
  
 * Pluggable, new authentication method with its login module can be 
 dynamically registered and plugged without having to change the UGI class;
 * Extensible, login modules with their options can be dynamically extended 
 and customized so that can be reusable elsewhere, like in TokenAuth;
  
 * No Kerberos relevant, remove any Kerberos relevant functionalities out of 
 it to make it simple and suitable for other login mechanisms; 
 * Of appropriate abstraction and API, with improved abstraction and API it’s 
 possible to allow authentication implementations not using JAAS modules;
 * Compatible, should be compatible with previous deployment and 
 authentication methods, so the existing APIs won’t be removed and some of 
 them are just to be deprecated.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (HADOOP-9797) Pluggable and compatible UGI change

2013-07-31 Thread Daryn Sharp (JIRA) 

[ 
https://issues.apache.org/jira/browse/HADOOP-9797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13725242#comment-13725242
 ] 

Daryn Sharp commented on HADOOP-9797:
-

I'll review today once I get some other RPC changes done, and see if/how it 
conflicts with another effort to reduce sync'ing in the UGI.

 Pluggable and compatible UGI change
 ---

 Key: HADOOP-9797
 URL: https://issues.apache.org/jira/browse/HADOOP-9797
 Project: Hadoop Common
  Issue Type: Sub-task
  Components: security
Reporter: Kai Zheng
Assignee: Kai Zheng
  Labels: rhino
 Fix For: 3.0.0

 Attachments: HADOOP-9797-v1.patch


 As already widely discussed current UGI related classes needs to be improved 
 in many aspects. This is to improve and make UGI so that it can be: 
  
 * Pluggable, new authentication method with its login module can be 
 dynamically registered and plugged without having to change the UGI class;
 * Extensible, login modules with their options can be dynamically extended 
 and customized so that can be reusable elsewhere, like in TokenAuth;
  
 * No Kerberos relevant, remove any Kerberos relevant functionalities out of 
 it to make it simple and suitable for other login mechanisms; 
 * Of appropriate abstraction and API, with improved abstraction and API it’s 
 possible to allow authentication implementations not using JAAS modules;
 * Compatible, should be compatible with previous deployment and 
 authentication methods, so the existing APIs won’t be removed and some of 
 them are just to be deprecated.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (HADOOP-9797) Pluggable and compatible UGI change

2013-07-31 Thread Larry McCay (JIRA) 

[ 
https://issues.apache.org/jira/browse/HADOOP-9797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13725287#comment-13725287
 ] 

Larry McCay commented on HADOOP-9797:
-

Thanks for the patch, Kai. I will also be reviewing this work today and in 
particular considering how it may be leveraged for a REST AuthenticationHandler 
that I have for validating incoming JWT access tokens.

 Pluggable and compatible UGI change
 ---

 Key: HADOOP-9797
 URL: https://issues.apache.org/jira/browse/HADOOP-9797
 Project: Hadoop Common
  Issue Type: Sub-task
  Components: security
Reporter: Kai Zheng
Assignee: Kai Zheng
  Labels: rhino
 Fix For: 3.0.0

 Attachments: HADOOP-9797-v1.patch


 As already widely discussed current UGI related classes needs to be improved 
 in many aspects. This is to improve and make UGI so that it can be: 
  
 * Pluggable, new authentication method with its login module can be 
 dynamically registered and plugged without having to change the UGI class;
 * Extensible, login modules with their options can be dynamically extended 
 and customized so that can be reusable elsewhere, like in TokenAuth;
  
 * No Kerberos relevant, remove any Kerberos relevant functionalities out of 
 it to make it simple and suitable for other login mechanisms; 
 * Of appropriate abstraction and API, with improved abstraction and API it’s 
 possible to allow authentication implementations not using JAAS modules;
 * Compatible, should be compatible with previous deployment and 
 authentication methods, so the existing APIs won’t be removed and some of 
 them are just to be deprecated.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (HADOOP-9797) Pluggable and compatible UGI change

2013-07-31 Thread Daryn Sharp (JIRA) 

[ 
https://issues.apache.org/jira/browse/HADOOP-9797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13725504#comment-13725504
 ] 

Daryn Sharp commented on HADOOP-9797:
-

At a high level this looks like a good change, but wow it's big.  The UGI is a 
critical class.  Subtle bugs exposed by race conditions can knock out a server 
- those issues are extremely hard to debug.  I'm actively reviewing but a 
change this large might need to be decomposed into incremental steps.  It's 
taking me a bit to unwind what it's doing and verify/document problems.

 Pluggable and compatible UGI change
 ---

 Key: HADOOP-9797
 URL: https://issues.apache.org/jira/browse/HADOOP-9797
 Project: Hadoop Common
  Issue Type: Sub-task
  Components: security
Reporter: Kai Zheng
Assignee: Kai Zheng
  Labels: rhino
 Fix For: 3.0.0

 Attachments: HADOOP-9797-v1.patch


 As already widely discussed current UGI related classes needs to be improved 
 in many aspects. This is to improve and make UGI so that it can be: 
  
 * Pluggable, new authentication method with its login module can be 
 dynamically registered and plugged without having to change the UGI class;
 * Extensible, login modules with their options can be dynamically extended 
 and customized so that can be reusable elsewhere, like in TokenAuth;
  
 * No Kerberos relevant, remove any Kerberos relevant functionalities out of 
 it to make it simple and suitable for other login mechanisms; 
 * Of appropriate abstraction and API, with improved abstraction and API it’s 
 possible to allow authentication implementations not using JAAS modules;
 * Compatible, should be compatible with previous deployment and 
 authentication methods, so the existing APIs won’t be removed and some of 
 them are just to be deprecated.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (HADOOP-9797) Pluggable and compatible UGI change

2013-07-31 Thread Larry McCay (JIRA) 

[ 
https://issues.apache.org/jira/browse/HADOOP-9797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13725592#comment-13725592
 ] 

Larry McCay commented on HADOOP-9797:
-

As for the design changes, I think that you introduce some nice abstraction 
that is missing in UGI. In general the pattern of using an additional check 
everywhere isSecurityEnabled is called is unfortunate - but I understand why 
you've take that approach for backward compatibility. I think that this pattern 
can be leveraged for REST endpoints as well - within AuthFilter.

A couple things that bother me a bit:
1. It is even more difficult to distinguish the difference between TokenAuth 
and the existing TOKEN(AuthMethod.TOKEN) in the code. I think that in our 
previous discussions we had the context of those discussions to keep it all 
straight. For the uninitiated developer trying to discern what this code does - 
I think it is a problem. Unfortunately, I don't have an alternative term to 
propose yet.

2. LiteUgi: I think that this is probably mostly a classname issue. Lite brings 
certain connotations to mind that I don't think make sense for this class. It 
appears to be a base/abstract class for deriving concrete UGI implementations 
from but at the same time it is returned from methods. It is also used in 
method names. I think that what we really need here is an abstract 
implementation of a new UGI interface. The interface should be returned by 
related methods instead of an abstract class and method names should not 
include the abstract/base classname. I also don't think Lite is an appropriate 
name - I kept thinking that it was somehow related to Simple or some other 
lighter context. This would facilitate the ability to have UGI impls that 
don't need to extend that particular abstract class.

3. Using the LiteUgi name in methods - just calling this out as a separate 
issue from the classname in #2 above.

I also share Daryn's opinion that it is a large change. Refactorings such as 
these are difficult to decompose into smaller steps but doing so would allow 
the review to be done more easily. Additionally, smaller changes would need to 
be reverted in the case of problems being introduced through one of the patches.

I will continue to dig through the patch to provide a more detailed review - 
but I thought that I would share my high level thinking at this time.


 Pluggable and compatible UGI change
 ---

 Key: HADOOP-9797
 URL: https://issues.apache.org/jira/browse/HADOOP-9797
 Project: Hadoop Common
  Issue Type: Sub-task
  Components: security
Reporter: Kai Zheng
Assignee: Kai Zheng
  Labels: rhino
 Fix For: 3.0.0

 Attachments: HADOOP-9797-v1.patch


 As already widely discussed current UGI related classes needs to be improved 
 in many aspects. This is to improve and make UGI so that it can be: 
  
 * Pluggable, new authentication method with its login module can be 
 dynamically registered and plugged without having to change the UGI class;
 * Extensible, login modules with their options can be dynamically extended 
 and customized so that can be reusable elsewhere, like in TokenAuth;
  
 * No Kerberos relevant, remove any Kerberos relevant functionalities out of 
 it to make it simple and suitable for other login mechanisms; 
 * Of appropriate abstraction and API, with improved abstraction and API it’s 
 possible to allow authentication implementations not using JAAS modules;
 * Compatible, should be compatible with previous deployment and 
 authentication methods, so the existing APIs won’t be removed and some of 
 them are just to be deprecated.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira