hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kai Zheng (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-9840) Improve User class for UGI and decouple it from Kerberos
Date Wed, 07 Aug 2013 09:32:48 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-9840?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13731816#comment-13731816

Kai Zheng commented on HADOOP-9840:

bq.This appears to be further locking in that a UGI may have one and only one login identity
by using auth-specific subclasses of User.
UGI wraps subject, which can contain multiple principals. We can add more than one auth-specific
subclass objects as identities or principals to it. By using auth-specific subclass, we can
customize methods to get groups, and arbitrary attributes according to specific auth. This
should be helpful for TokenAuth/HSSO where we need to add a construct like IdentityTokenUser,
which determines groups and attributes by extracting them from the wrapped identity/access
token. Though, we might want to avoid mixing many auth-specific code into the one User class,
as the current code does for Kerberos auth.
> Improve User class for UGI and decouple it from Kerberos
> --------------------------------------------------------
>                 Key: HADOOP-9840
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9840
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>            Reporter: Kai Zheng
>            Assignee: Kai Zheng
>            Priority: Minor
>              Labels: Rhino
>         Attachments: HADOOP-9840.patch, HADOOP-9840.patch
> As discussed in HADOOP-9797, it would be better to improve UGI incrementally. Open this
JIRA to improve User class to:
> * Make it extensible as a base class, then can have subclasses like SimpleUser for Simple
authn, KerberosUser for Kerberos authn, IdentityTokenUser for TokenAuth (in future), and etc.
> * Decouple it from Kerberos.
> * Refactor UGI class safely, move testing related codes out of it.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

View raw message