Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-13805

UGI.getCurrentUser() fails if user does not have a keytab associated

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 2.8.0, 2.9.0, 3.0.0-alpha2
    • 3.0.0-alpha4
    • security
    • None
    • Incompatible change, Reviewed
    • Hide
      Due to a remaining issue after HADOOP-13558, an UGI may still try to renew the TGT even though the UGI is created from an existing Subject. The renewal would fail because of non-existing keytab.

      Fixing the issue means different behavior which is incompatible, however, configuration property "hadoop.treat.subject.external" is introduced to enable the fix (disabled by default). The behavior is the same as before when the fix is not enabled.
      Show
      Due to a remaining issue after HADOOP-13558 , an UGI may still try to renew the TGT even though the UGI is created from an existing Subject. The renewal would fail because of non-existing keytab. Fixing the issue means different behavior which is incompatible, however, configuration property "hadoop.treat.subject.external" is introduced to enable the fix (disabled by default). The behavior is the same as before when the fix is not enabled.

    Description

      HADOOP-13558 intention was to avoid UGI from trying to renew the TGT when the UGI is created from an existing Subject as in that case the keytab is not 'own' by UGI but by the creator of the Subject.

      In HADOOP-13558 we introduced a new private UGI constructor UserGroupInformation(Subject subject, final boolean externalKeyTab) and we use with TRUE only when doing a UGI.loginUserFromSubject().

      The problem is, when we call UGI.getCurrentUser(), and UGI was created via a Subject (via the UGI.loginUserFromSubject() method), we call new UserGroupInformation(subject) which will delegate to UserGroupInformation(Subject subject, final boolean externalKeyTab) and that will use externalKeyTab == FALSE.

      Then the UGI returned by UGI.getCurrentUser() will attempt to login using a non-existing keytab if the TGT expired.

      This problem is experienced in KMSClientProvider when used by the HDFS filesystem client accessing an an encryption zone.

      Attachments

        1. HADOOP-13805.006.patch
          9 kB
          Yongjun Zhang
        2. HADOOP-13805.007.patch
          14 kB
          Yongjun Zhang
        3. HADOOP-13805.008.patch
          16 kB
          Yongjun Zhang
        4. HADOOP-13805.009.patch
          17 kB
          Yongjun Zhang
        5. HADOOP-13805.01.patch
          2 kB
          Xiao Chen
        6. HADOOP-13805.010.patch
          17 kB
          Yongjun Zhang
        7. HADOOP-13805.02.patch
          6 kB
          Xiao Chen
        8. HADOOP-13805.03.patch
          5 kB
          Xiao Chen
        9. HADOOP-13805.04.patch
          8 kB
          Xiao Chen
        10. HADOOP-13805.05.patch
          4 kB
          Xiao Chen

        Issue Links

          Activity

            People

              xiaochen Xiao Chen
              tucu00 Alejandro Abdelnur
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: