[jira] [Updated] (HADOOP-9317) User cannot specify a kerberos keytab for commands
[ https://issues.apache.org/jira/browse/HADOOP-9317?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vinod Kumar Vavilapalli updated HADOOP-9317: Target Version/s: (was: 2.8.0) Not much going on here for a long time, dropping from 2.8.0. Not putting any target-version either anymore, let's target this depending on when there is patch activity. > User cannot specify a kerberos keytab for commands > -- > > Key: HADOOP-9317 > URL: https://issues.apache.org/jira/browse/HADOOP-9317 > Project: Hadoop Common > Issue Type: Bug > Components: security >Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0-alpha1 >Reporter: Daryn Sharp >Assignee: Daryn Sharp >Priority: Critical > Attachments: HADOOP-9317.branch-23.patch, > HADOOP-9317.branch-23.patch, HADOOP-9317.patch, HADOOP-9317.patch, > HADOOP-9317.patch, HADOOP-9317.patch > > > {{UserGroupInformation}} only allows kerberos users to be logged in via the > ticket cache when running hadoop commands. {{UGI}} allows a keytab to be > used, but it's only exposed programatically. This forces keytab-based users > running hadoop commands to periodically issue a kinit from the keytab. A > race condition exists during the kinit when the ticket cache is deleted and > re-created. Hadoop commands will fail when the ticket cache does not > momentarily exist. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Updated] (HADOOP-9317) User cannot specify a kerberos keytab for commands
[ https://issues.apache.org/jira/browse/HADOOP-9317?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Allen Wittenauer updated HADOOP-9317: - Status: Open (was: Patch Available) bq. So your suggestion won't work because concurrent launches issuing the kinit will still result in the race condition where one process may be issuing the kinit while another is trying to run hadoop commands. If you look at the sample script I wrote, we should be using a different credential cache per invocation, thus removing the race condition. In any case, cancelling the patch since it no longer applies. User cannot specify a kerberos keytab for commands -- Key: HADOOP-9317 URL: https://issues.apache.org/jira/browse/HADOOP-9317 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.0.0-alpha, 0.23.0, 3.0.0 Reporter: Daryn Sharp Assignee: Daryn Sharp Priority: Critical Attachments: HADOOP-9317.branch-23.patch, HADOOP-9317.branch-23.patch, HADOOP-9317.patch, HADOOP-9317.patch, HADOOP-9317.patch, HADOOP-9317.patch {{UserGroupInformation}} only allows kerberos users to be logged in via the ticket cache when running hadoop commands. {{UGI}} allows a keytab to be used, but it's only exposed programatically. This forces keytab-based users running hadoop commands to periodically issue a kinit from the keytab. A race condition exists during the kinit when the ticket cache is deleted and re-created. Hadoop commands will fail when the ticket cache does not momentarily exist. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HADOOP-9317) User cannot specify a kerberos keytab for commands
[ https://issues.apache.org/jira/browse/HADOOP-9317?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Karthik Kambatla updated HADOOP-9317: - Target Version/s: 2.6.0 (was: 3.0.0, 2.5.0) User cannot specify a kerberos keytab for commands -- Key: HADOOP-9317 URL: https://issues.apache.org/jira/browse/HADOOP-9317 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0 Reporter: Daryn Sharp Assignee: Daryn Sharp Priority: Critical Attachments: HADOOP-9317.branch-23.patch, HADOOP-9317.branch-23.patch, HADOOP-9317.patch, HADOOP-9317.patch, HADOOP-9317.patch, HADOOP-9317.patch {{UserGroupInformation}} only allows kerberos users to be logged in via the ticket cache when running hadoop commands. {{UGI}} allows a keytab to be used, but it's only exposed programatically. This forces keytab-based users running hadoop commands to periodically issue a kinit from the keytab. A race condition exists during the kinit when the ticket cache is deleted and re-created. Hadoop commands will fail when the ticket cache does not momentarily exist. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Updated] (HADOOP-9317) User cannot specify a kerberos keytab for commands
[ https://issues.apache.org/jira/browse/HADOOP-9317?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Mit Desai updated HADOOP-9317: -- Target Version/s: 3.0.0, 2.5.0 (was: 3.0.0, 0.23.11, 2.4.0) User cannot specify a kerberos keytab for commands -- Key: HADOOP-9317 URL: https://issues.apache.org/jira/browse/HADOOP-9317 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0 Reporter: Daryn Sharp Assignee: Daryn Sharp Priority: Critical Attachments: HADOOP-9317.branch-23.patch, HADOOP-9317.branch-23.patch, HADOOP-9317.patch, HADOOP-9317.patch, HADOOP-9317.patch, HADOOP-9317.patch {{UserGroupInformation}} only allows kerberos users to be logged in via the ticket cache when running hadoop commands. {{UGI}} allows a keytab to be used, but it's only exposed programatically. This forces keytab-based users running hadoop commands to periodically issue a kinit from the keytab. A race condition exists during the kinit when the ticket cache is deleted and re-created. Hadoop commands will fail when the ticket cache does not momentarily exist. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Updated] (HADOOP-9317) User cannot specify a kerberos keytab for commands
[ https://issues.apache.org/jira/browse/HADOOP-9317?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jason Lowe updated HADOOP-9317: --- Target Version/s: 3.0.0, 0.23.11, 2.4.0 (was: 3.0.0, 0.23.11) User cannot specify a kerberos keytab for commands -- Key: HADOOP-9317 URL: https://issues.apache.org/jira/browse/HADOOP-9317 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0 Reporter: Daryn Sharp Assignee: Daryn Sharp Priority: Critical Attachments: HADOOP-9317.branch-23.patch, HADOOP-9317.branch-23.patch, HADOOP-9317.patch, HADOOP-9317.patch, HADOOP-9317.patch, HADOOP-9317.patch {{UserGroupInformation}} only allows kerberos users to be logged in via the ticket cache when running hadoop commands. {{UGI}} allows a keytab to be used, but it's only exposed programatically. This forces keytab-based users running hadoop commands to periodically issue a kinit from the keytab. A race condition exists during the kinit when the ticket cache is deleted and re-created. Hadoop commands will fail when the ticket cache does not momentarily exist. -- This message was sent by Atlassian JIRA (v6.1.5#6160)
[jira] [Updated] (HADOOP-9317) User cannot specify a kerberos keytab for commands
[ https://issues.apache.org/jira/browse/HADOOP-9317?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Thomas Graves updated HADOOP-9317: -- Target Version/s: 3.0.0, 2.1.0-beta, 0.23.10 (was: 3.0.0, 2.1.0-beta, 0.23.9) User cannot specify a kerberos keytab for commands -- Key: HADOOP-9317 URL: https://issues.apache.org/jira/browse/HADOOP-9317 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0 Reporter: Daryn Sharp Assignee: Daryn Sharp Priority: Critical Attachments: HADOOP-9317.branch-23.patch, HADOOP-9317.branch-23.patch, HADOOP-9317.patch, HADOOP-9317.patch, HADOOP-9317.patch, HADOOP-9317.patch {{UserGroupInformation}} only allows kerberos users to be logged in via the ticket cache when running hadoop commands. {{UGI}} allows a keytab to be used, but it's only exposed programatically. This forces keytab-based users running hadoop commands to periodically issue a kinit from the keytab. A race condition exists during the kinit when the ticket cache is deleted and re-created. Hadoop commands will fail when the ticket cache does not momentarily exist. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-9317) User cannot specify a kerberos keytab for commands
[ https://issues.apache.org/jira/browse/HADOOP-9317?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Thomas Graves updated HADOOP-9317: -- Target Version/s: 3.0.0, 2.0.5-beta, 0.23.9 (was: 3.0.0, 2.0.5-beta, 0.23.8) User cannot specify a kerberos keytab for commands -- Key: HADOOP-9317 URL: https://issues.apache.org/jira/browse/HADOOP-9317 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0 Reporter: Daryn Sharp Assignee: Daryn Sharp Priority: Critical Attachments: HADOOP-9317.branch-23.patch, HADOOP-9317.branch-23.patch, HADOOP-9317.patch, HADOOP-9317.patch, HADOOP-9317.patch, HADOOP-9317.patch {{UserGroupInformation}} only allows kerberos users to be logged in via the ticket cache when running hadoop commands. {{UGI}} allows a keytab to be used, but it's only exposed programatically. This forces keytab-based users running hadoop commands to periodically issue a kinit from the keytab. A race condition exists during the kinit when the ticket cache is deleted and re-created. Hadoop commands will fail when the ticket cache does not momentarily exist. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-9317) User cannot specify a kerberos keytab for commands
[ https://issues.apache.org/jira/browse/HADOOP-9317?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robert Parker updated HADOOP-9317: -- Attachment: HADOOP-9317.patch Refreshed the patch to latest trunk/branch-2 User cannot specify a kerberos keytab for commands -- Key: HADOOP-9317 URL: https://issues.apache.org/jira/browse/HADOOP-9317 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0 Reporter: Daryn Sharp Assignee: Daryn Sharp Priority: Critical Attachments: HADOOP-9317.branch-23.patch, HADOOP-9317.branch-23.patch, HADOOP-9317.patch, HADOOP-9317.patch, HADOOP-9317.patch, HADOOP-9317.patch {{UserGroupInformation}} only allows kerberos users to be logged in via the ticket cache when running hadoop commands. {{UGI}} allows a keytab to be used, but it's only exposed programatically. This forces keytab-based users running hadoop commands to periodically issue a kinit from the keytab. A race condition exists during the kinit when the ticket cache is deleted and re-created. Hadoop commands will fail when the ticket cache does not momentarily exist. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-9317) User cannot specify a kerberos keytab for commands
[ https://issues.apache.org/jira/browse/HADOOP-9317?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daryn Sharp updated HADOOP-9317: Attachment: HADOOP-9317.patch HADOOP-9317.branch-23.patch (This issue is impacting production workflows) The user can already specify a ticket cache via the env KRB5CCNAME. Added corresponding envs for KRB5KEYTAB and KRB5PRINCIPAL. If KRB5KEYTAB is defined, the ticket cache will continue to be searched first but it will fallback to the keytab if there is no ticket cache, no TGT in the ticket cache, or if the ticket cache TGT cannot be renewed. KRB5PRINCIPAL may optionally be specified if the keytab principal does not match the unix user. If both KRB5KEYTAB and KRB5CCNAME are defined, a TGT acquired via the keytab will be written to the ticket cache to avoid constantly acquiring a new TGT. Removed an unnecessary re-instantiation of the UGI (just after it's instantiated and assigned an auth type) to avoid double writing the ticket cache. There is no change to existing behavior if the KRB5KEYTAB env is not defined. These changes allow a user to no longer have to issue periodic kinits, and to no longer have commands fail when the ticket is gone/empty/expired. User cannot specify a kerberos keytab for commands -- Key: HADOOP-9317 URL: https://issues.apache.org/jira/browse/HADOOP-9317 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0 Reporter: Daryn Sharp Assignee: Daryn Sharp Priority: Critical Attachments: HADOOP-9317.branch-23.patch, HADOOP-9317.patch {{UserGroupInformation}} only allows kerberos users to be logged in via the ticket cache when running hadoop commands. {{UGI}} allows a keytab to be used, but it's only exposed programatically. This forces keytab-based users running hadoop commands to periodically issue a kinit from the keytab. A race condition exists during the kinit when the ticket cache is deleted and re-created. Hadoop commands will fail when the ticket cache does not momentarily exist. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-9317) User cannot specify a kerberos keytab for commands
[ https://issues.apache.org/jira/browse/HADOOP-9317?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daryn Sharp updated HADOOP-9317: Attachment: HADOOP-9317.patch Update stale patch due to changes for ibm's java. User cannot specify a kerberos keytab for commands -- Key: HADOOP-9317 URL: https://issues.apache.org/jira/browse/HADOOP-9317 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0 Reporter: Daryn Sharp Assignee: Daryn Sharp Priority: Critical Attachments: HADOOP-9317.branch-23.patch, HADOOP-9317.patch, HADOOP-9317.patch {{UserGroupInformation}} only allows kerberos users to be logged in via the ticket cache when running hadoop commands. {{UGI}} allows a keytab to be used, but it's only exposed programatically. This forces keytab-based users running hadoop commands to periodically issue a kinit from the keytab. A race condition exists during the kinit when the ticket cache is deleted and re-created. Hadoop commands will fail when the ticket cache does not momentarily exist. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-9317) User cannot specify a kerberos keytab for commands
[ https://issues.apache.org/jira/browse/HADOOP-9317?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daryn Sharp updated HADOOP-9317: Attachment: HADOOP-9317.patch HADOOP-9317.branch-23.patch Fix findbugs warning. User cannot specify a kerberos keytab for commands -- Key: HADOOP-9317 URL: https://issues.apache.org/jira/browse/HADOOP-9317 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0 Reporter: Daryn Sharp Assignee: Daryn Sharp Priority: Critical Attachments: HADOOP-9317.branch-23.patch, HADOOP-9317.branch-23.patch, HADOOP-9317.patch, HADOOP-9317.patch, HADOOP-9317.patch {{UserGroupInformation}} only allows kerberos users to be logged in via the ticket cache when running hadoop commands. {{UGI}} allows a keytab to be used, but it's only exposed programatically. This forces keytab-based users running hadoop commands to periodically issue a kinit from the keytab. A race condition exists during the kinit when the ticket cache is deleted and re-created. Hadoop commands will fail when the ticket cache does not momentarily exist. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira