hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Shelukhin (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-13081) add the ability to create multiple UGIs/subjects from one kerberos login
Date Mon, 02 May 2016 21:35:13 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-13081?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Sergey Shelukhin updated HADOOP-13081:
--------------------------------------
    Description: 
We have a scenario where we log in with kerberos as a certain user for some tasks, but also
want to add tokens to the resulting UGI that would be specific to each task. We don't want
to authenticate with kerberos for every task.
I am not sure how this can be accomplished with the existing UGI interface. Perhaps some clone
method would be helpful, similar to createProxyUser minus the proxy stuff; or it could just
relogin anew from ticket cache. getUGIFromTicketCache seems like the best option in existing
code, but there doesn't appear to be a consistent way of handling ticket cache location -
the above method, that I only see called in test, is using a config setting that is not used
anywhere else, and the env variable for the location is not set on all paths - trying to find
the correct ticket cache and setting it in the config for getUGIFromTicketCache seems even
hackier than doing the clone via reflection ;)

  was:
We have a scenario where we log in with kerberos as a certain user for some tasks, but also
want to add tokens to the resulting UGI that would be specific to each task. 
I am not sure how this can be accomplished with the existing UGI interface. Perhaps some clone
method would be helpful, similar to createProxyUser minus the proxy stuff; or it could just
relogin anew from ticket cache. getUGIFromTicketCache seems like the best option in existing
code, but there doesn't appear to be a consistent way of handling ticket cache location -
the above method, that I only see called in test, is using a config setting that is not used
anywhere else, and the env variable for the location is not set on all paths - trying to find
the correct ticket cache and setting it in the config for getUGIFromTicketCache seems even
hackier than doing the clone via reflection ;)


> add the ability to create multiple UGIs/subjects from one kerberos login
> ------------------------------------------------------------------------
>
>                 Key: HADOOP-13081
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13081
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: Sergey Shelukhin
>
> We have a scenario where we log in with kerberos as a certain user for some tasks, but
also want to add tokens to the resulting UGI that would be specific to each task. We don't
want to authenticate with kerberos for every task.
> I am not sure how this can be accomplished with the existing UGI interface. Perhaps some
clone method would be helpful, similar to createProxyUser minus the proxy stuff; or it could
just relogin anew from ticket cache. getUGIFromTicketCache seems like the best option in existing
code, but there doesn't appear to be a consistent way of handling ticket cache location -
the above method, that I only see called in test, is using a config setting that is not used
anywhere else, and the env variable for the location is not set on all paths - trying to find
the correct ticket cache and setting it in the config for getUGIFromTicketCache seems even
hackier than doing the clone via reflection ;)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message