Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-13805

UGI.getCurrentUser() fails if user does not have a keytab associated

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.8.0, 2.9.0, 3.0.0-alpha2
    • Fix Version/s: 3.0.0-alpha4
    • Component/s: security
    • Labels:
      None
    • Target Version/s:
    • Hadoop Flags:
      Incompatible change, Reviewed
    • Release Note:
      Hide
      Due to a remaining issue after HADOOP-13558, an UGI may still try to renew the TGT even though the UGI is created from an existing Subject. The renewal would fail because of non-existing keytab.

      Fixing the issue means different behavior which is incompatible, however, configuration property "hadoop.treat.subject.external" is introduced to enable the fix (disabled by default). The behavior is the same as before when the fix is not enabled.
      Show
      Due to a remaining issue after HADOOP-13558 , an UGI may still try to renew the TGT even though the UGI is created from an existing Subject. The renewal would fail because of non-existing keytab. Fixing the issue means different behavior which is incompatible, however, configuration property "hadoop.treat.subject.external" is introduced to enable the fix (disabled by default). The behavior is the same as before when the fix is not enabled.

      Description

      HADOOP-13558 intention was to avoid UGI from trying to renew the TGT when the UGI is created from an existing Subject as in that case the keytab is not 'own' by UGI but by the creator of the Subject.

      In HADOOP-13558 we introduced a new private UGI constructor UserGroupInformation(Subject subject, final boolean externalKeyTab) and we use with TRUE only when doing a UGI.loginUserFromSubject().

      The problem is, when we call UGI.getCurrentUser(), and UGI was created via a Subject (via the UGI.loginUserFromSubject() method), we call new UserGroupInformation(subject) which will delegate to UserGroupInformation(Subject subject, final boolean externalKeyTab) and that will use externalKeyTab == FALSE.

      Then the UGI returned by UGI.getCurrentUser() will attempt to login using a non-existing keytab if the TGT expired.

      This problem is experienced in KMSClientProvider when used by the HDFS filesystem client accessing an an encryption zone.

        Attachments

        1. HADOOP-13805.006.patch
          9 kB
          Yongjun Zhang
        2. HADOOP-13805.007.patch
          14 kB
          Yongjun Zhang
        3. HADOOP-13805.008.patch
          16 kB
          Yongjun Zhang
        4. HADOOP-13805.009.patch
          17 kB
          Yongjun Zhang
        5. HADOOP-13805.01.patch
          2 kB
          Xiao Chen
        6. HADOOP-13805.010.patch
          17 kB
          Yongjun Zhang
        7. HADOOP-13805.02.patch
          6 kB
          Xiao Chen
        8. HADOOP-13805.03.patch
          5 kB
          Xiao Chen
        9. HADOOP-13805.04.patch
          8 kB
          Xiao Chen
        10. HADOOP-13805.05.patch
          4 kB
          Xiao Chen

          Issue Links

            Activity

              People

              • Assignee:
                xiaochen Xiao Chen
                Reporter:
                tucu00 Alejandro Abdelnur
              • Votes:
                0 Vote for this issue
                Watchers:
                10 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: