Yicong Cai created HADOOP-16521: ----------------------------------- Summary: Subject has a contradiction between proxy user and real user Key: HADOOP-16521 URL: https://issues.apache.org/jira/browse/HADOOP-16521 Project: Hadoop Common Issue Type: Bug Reporter: Yicong Cai
In the method UserGroupInformation#loginUserFromSubject, if you specify ProxyUser with HADOOP_PROXY_USER, and create a Proxy UGI instance, the valid Credentials are included in the User's PrivateCredentials. The UGI information is as follows: {code:java} proxyUGI | |--subject 1 | | | |--principals | | | | | |--user | | | | | --real user | | | --privCredentials(all cred) | --proxy user {code} If you first login Real User and then use UserGroupInformation#createProxyUser to create a Proxy UGI, the valid Credentials information is included in RealUser's subject PrivateCredentials. The UGI information is as follows: {code:java} proxyUGI | |--subject 1 | | | |--principals | | | | | |--user | | | | | --real user | | | | | --subject 2 | | | | | --privCredentials(all cred) | | | --privCredentials(empty) | --proxy user{code} Use the proxy user in the HDFS FileSystem to perform token-related operations. However, in the RPC Client Connection, use the token in RealUser for SaslRpcClient#saslConnect. So the main contradiction is, should ProxyUser's real Credentials information be placed in ProxyUGI's subject, or should it be placed in RealUser's subject? -- This message was sent by Atlassian Jira (v8.3.2#803003) --------------------------------------------------------------------- To unsubscribe, e-mail: common-dev-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-dev-h...@hadoop.apache.org