hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Nauroth (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-13066) UserGroupInformation.loginWithKerberos/getLoginUser is not thread-safe
Date Thu, 28 Apr 2016 17:30:13 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-13066?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15262581#comment-15262581
] 

Chris Nauroth commented on HADOOP-13066:
----------------------------------------

Hello [~sershe].

bq. I think the simplest way to fix would be to have login method also return the UGI

Have you seen {{UserGroupInformation#loginUserFromKeytabAndReturnUGI}}?  If the application
was changed to call that, then you could execute code within a {{doAs}} block on the returned
UGI instance.  In your example, each thread would operate on a different UGI instance.  This
method does not alter the process-global logged-in user.

{code}
  /**
   * Log a user in from a keytab file. Loads a user identity from a keytab
   * file and login them in. This new user does not affect the currently
   * logged-in user.
   * @param user the principal name to load from the keytab
   * @param path the path to the keytab file
   * @throws IOException if the keytab file can't be read
   */
  public synchronized
  static UserGroupInformation loginUserFromKeytabAndReturnUGI(String user,
                                  String path
                                  ) throws IOException {
{code}


> UserGroupInformation.loginWithKerberos/getLoginUser is not thread-safe
> ----------------------------------------------------------------------
>
>                 Key: HADOOP-13066
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13066
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>            Reporter: Sergey Shelukhin
>
> When calling loginFromKerberos, a static variable is set up with the result. If someone
logs in as a different user from a different thread, the call to getLoginUser will not return
the correct UGI.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message