Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-13081

add the ability to create multiple UGIs/subjects from one kerberos login


    • Type: Improvement
    • Status: Reopened
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: 3.0.0-alpha1
    • Component/s: security
    • Labels:
    • Hadoop Flags:


      We have a scenario where we log in with kerberos as a certain user for some tasks, but also want to add tokens to the resulting UGI that would be specific to each task. We don't want to authenticate with kerberos for every task.
      I am not sure how this can be accomplished with the existing UGI interface. Perhaps some clone method would be helpful, similar to createProxyUser minus the proxy stuff; or it could just relogin anew from ticket cache. getUGIFromTicketCache seems like the best option in existing code, but there doesn't appear to be a consistent way of handling ticket cache location - the above method, that I only see called in test, is using a config setting that is not used anywhere else, and the env variable for the location that is used in the main ticket cache related methods is not set uniformly on all paths - therefore, trying to find the correct ticket cache and passing it via the config setting to getUGIFromTicketCache seems even hackier than doing the clone via reflection Moreover, getUGIFromTicketCache ignores the user parameter on the main path - it logs a warning for multiple principals and then logs in with first available.


        1. HADOOP-13081.01.patch
          1 kB
          Sergey Shelukhin
        2. HADOOP-13081.02.patch
          4 kB
          Sergey Shelukhin
        3. HADOOP-13081.02.patch
          4 kB
          Sergey Shelukhin
        4. HADOOP-13081.03.patch
          4 kB
          Sergey Shelukhin
        5. HADOOP-13081.03.patch
          4 kB
          Sergey Shelukhin
        6. HADOOP-13081.patch
          1 kB
          Sergey Shelukhin

          Issue Links



              • Assignee:
                sershe Sergey Shelukhin
                sershe Sergey Shelukhin
              • Votes:
                0 Vote for this issue
                11 Start watching this issue


                • Created: