hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Xiao Chen (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-13805) UGI.getCurrentUser() fails if user does not have a keytab associated
Date Wed, 04 Jan 2017 19:21:58 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-13805?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Xiao Chen updated HADOOP-13805:
    Attachment: HADOOP-13805.05.patch

Thanks for the comment [~tucu00].

kinit -R assumes the TGT can still be renewed, if it reached it max life time it is not. So
this will delay the failure until the TGT cannot be renewed anymore; 
Looking at the [initial commit|https://github.com/apache/hadoop/commit/1a6ed79ebf6649d4f0828b8c2adff26d0f79832f#diff-8da26f813ae9e87bbf0fb9abb349acc2R445],
I think that's what this renewal thread is supposed to do - {{kinit -R}} until the TGT reach
its max lifetime. After that, it will fail and seems current code isn't considering it - no
{{-kt <keytab>}} is provided to the command.
Verifying this from shell, {{kinit -R -kt <keytab>}} will get a new TGT to keep credentials
updated, but feels like we should split that improvement to a new jira.
Let's move this part to HADOOP-13807 if you're comfortable.

Back to this jira, I think the issue can be fixed in another way. Current patch breaks {{TestKMS#testTGTRenewal}},
and the usage there seems reasonable.
So maybe we can fix it this way - the state of whether a login is external shouldn't be a
instance variable of the UGI, but a static variable reflecting what loginFromXXX was performed
to log the user in. Therefore, it can track the initial login and perform relogins accordingly.
This is different than current patch, because UGI itself instantiates new UGI objects in various
calls (e.g. {{getCurrentUser}}), and performs {{loginUserFromSubject}} internally (e.g. {{getLoginUser(null)}}).
Having a static variable to reflect the static {{loginUserFromXXX}} methods feels cleaner.

Patch has the proposed fix, and didn't have to change any unit test. Appreciate your continued

> UGI.getCurrentUser() fails if user does not have a keytab associated
> --------------------------------------------------------------------
>                 Key: HADOOP-13805
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13805
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.8.0, 2.9.0, 3.0.0-alpha2
>            Reporter: Alejandro Abdelnur
>            Assignee: Xiao Chen
>         Attachments: HADOOP-13805.01.patch, HADOOP-13805.02.patch, HADOOP-13805.03.patch,
HADOOP-13805.04.patch, HADOOP-13805.05.patch
> HADOOP-13558 intention was to avoid UGI from trying to renew the TGT when the UGI is
created from an existing Subject as in that case the keytab is not 'own' by UGI but by the
creator of the Subject.
> In HADOOP-13558 we introduced a new private UGI constructor {{UserGroupInformation(Subject
subject, final boolean externalKeyTab)}} and we use with TRUE only when doing a {{UGI.loginUserFromSubject()}}.
> The problem is, when we call {{UGI.getCurrentUser()}}, and UGI was created via a Subject
(via the {{UGI.loginUserFromSubject()}} method), we call {{new UserGroupInformation(subject)}}
which will delegate to {{UserGroupInformation(Subject subject, final boolean externalKeyTab)}}
 and that will use externalKeyTab == *FALSE*. 
> Then the UGI returned by {{UGI.getCurrentUser()}} will attempt to login using a non-existing
keytab if the TGT expired.
> This problem is experienced in {{KMSClientProvider}} when used by the HDFS filesystem
client accessing an an encryption zone.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org

View raw message