Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
2.8.0, 2.9.0, 3.0.0-alpha2
-
None
-
Incompatible change, Reviewed
-
Description
HADOOP-13558 intention was to avoid UGI from trying to renew the TGT when the UGI is created from an existing Subject as in that case the keytab is not 'own' by UGI but by the creator of the Subject.
In HADOOP-13558 we introduced a new private UGI constructor UserGroupInformation(Subject subject, final boolean externalKeyTab) and we use with TRUE only when doing a UGI.loginUserFromSubject().
The problem is, when we call UGI.getCurrentUser(), and UGI was created via a Subject (via the UGI.loginUserFromSubject() method), we call new UserGroupInformation(subject) which will delegate to UserGroupInformation(Subject subject, final boolean externalKeyTab) and that will use externalKeyTab == FALSE.
Then the UGI returned by UGI.getCurrentUser() will attempt to login using a non-existing keytab if the TGT expired.
This problem is experienced in KMSClientProvider when used by the HDFS filesystem client accessing an an encryption zone.
Attachments
Attachments
Issue Links
- is duplicated by
-
HADOOP-13807 UGI renewal thread should be spawn only if the keytab is not external
- Resolved
- is related to
-
HADOOP-13558 UserGroupInformation created from a Subject incorrectly tries to renew the Kerberos ticket
- Resolved
-
HADOOP-14948 Document missing config key hadoop.treat.subject.external
- Resolved
-
HADOOP-17345 Work with externally managed user credentials
- Open
- is superceded by
-
HADOOP-9747 Reduce unnecessary UGI synchronization
- Resolved
- relates to
-
HADOOP-13807 UGI renewal thread should be spawn only if the keytab is not external
- Resolved