Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-13805

UGI.getCurrentUser() fails if user does not have a keytab associated

Log workAgile BoardRank to TopRank to BottomAttach filesAttach ScreenshotBulk Copy AttachmentsBulk Move AttachmentsVotersWatch issueWatchersCreate sub-taskConvert to sub-taskMoveLinkCloneLabelsUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 2.8.0, 2.9.0, 3.0.0-alpha2
    • 3.0.0-alpha4
    • security
    • None
    • Incompatible change, Reviewed
    • Hide
      Due to a remaining issue after HADOOP-13558, an UGI may still try to renew the TGT even though the UGI is created from an existing Subject. The renewal would fail because of non-existing keytab.

      Fixing the issue means different behavior which is incompatible, however, configuration property "hadoop.treat.subject.external" is introduced to enable the fix (disabled by default). The behavior is the same as before when the fix is not enabled.
      Show
      Due to a remaining issue after HADOOP-13558 , an UGI may still try to renew the TGT even though the UGI is created from an existing Subject. The renewal would fail because of non-existing keytab. Fixing the issue means different behavior which is incompatible, however, configuration property "hadoop.treat.subject.external" is introduced to enable the fix (disabled by default). The behavior is the same as before when the fix is not enabled.

    Description

      HADOOP-13558 intention was to avoid UGI from trying to renew the TGT when the UGI is created from an existing Subject as in that case the keytab is not 'own' by UGI but by the creator of the Subject.

      In HADOOP-13558 we introduced a new private UGI constructor UserGroupInformation(Subject subject, final boolean externalKeyTab) and we use with TRUE only when doing a UGI.loginUserFromSubject().

      The problem is, when we call UGI.getCurrentUser(), and UGI was created via a Subject (via the UGI.loginUserFromSubject() method), we call new UserGroupInformation(subject) which will delegate to UserGroupInformation(Subject subject, final boolean externalKeyTab) and that will use externalKeyTab == FALSE.

      Then the UGI returned by UGI.getCurrentUser() will attempt to login using a non-existing keytab if the TGT expired.

      This problem is experienced in KMSClientProvider when used by the HDFS filesystem client accessing an an encryption zone.

      Attachments

        1. HADOOP-13805.05.patch
          4 kB
          Xiao Chen
        2. HADOOP-13805.04.patch
          8 kB
          Xiao Chen
        3. HADOOP-13805.03.patch
          5 kB
          Xiao Chen
        4. HADOOP-13805.02.patch
          6 kB
          Xiao Chen
        5. HADOOP-13805.010.patch
          17 kB
          Yongjun Zhang
        6. HADOOP-13805.01.patch
          2 kB
          Xiao Chen
        7. HADOOP-13805.009.patch
          17 kB
          Yongjun Zhang
        8. HADOOP-13805.008.patch
          16 kB
          Yongjun Zhang
        9. HADOOP-13805.007.patch
          14 kB
          Yongjun Zhang
        10. HADOOP-13805.006.patch
          9 kB
          Yongjun Zhang

        Issue Links

        is duplicated by

        Bug - A problem which impairs or prevents the functions of the product. HADOOP-13807 UGI renewal thread should be spawn only if the keytab is not external

        • Minor - Minor loss of function, or other problem where easy workaround is present.
        • Resolved
        is related to

        Bug - A problem which impairs or prevents the functions of the product. HADOOP-13558 UserGroupInformation created from a Subject incorrectly tries to renew the Kerberos ticket

        • Major - Major loss of function.
        • Resolved

        Bug - A problem which impairs or prevents the functions of the product. HADOOP-14948 Document missing config key hadoop.treat.subject.external

        • Minor - Minor loss of function, or other problem where easy workaround is present.
        • Resolved

        Task - A task that needs to be done. HADOOP-17345 Work with externally managed user credentials

        • Major - Major loss of function.
        • Open
        is superceded by

        Bug - A problem which impairs or prevents the functions of the product. HADOOP-9747 Reduce unnecessary UGI synchronization

        • Critical - Crashes, loss of data, severe memory leak.
        • Resolved
        relates to

        Bug - A problem which impairs or prevents the functions of the product. HADOOP-13807 UGI renewal thread should be spawn only if the keytab is not external

        • Minor - Minor loss of function, or other problem where easy workaround is present.
        • Resolved

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            xiaochen Xiao Chen Assign to me
            tucu00 Alejandro Abdelnur
            Votes:
            0 Vote for this issue
            Watchers:
            10 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment