Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-13520

fuse_dfs to support keytab based login

Add voteVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 2.6.0
    • None
    • None
    • None
    • Hadoop 2.6/3.0, Kerberized, fuse_dfs

    Description

      It looks like the current fuse_dfs implementation supports login using current kerberos credential. If the tgt expires, it fails with the following error:

      hdfsBuilderConnect(forceNewInstance=1, nn=hdfs://ns1, port=0, kerbTicketCachePath=/tmp/krb5cc_2000, userName=systest) error:
      LoginException: Unable to obtain Principal Name for authentication org.apache.hadoop.security.KerberosAuthException: failure to login: for user: systest using ticket cache file: /tmp/krb5cc_2000 javax.security.auth.login.LoginException: Unable to obtain Principal Name for authentication
      at org.apache.hadoop.security.UserGroupInformation.getUGIFromTicketCache(UserGroupInformation.java:807)
      at org.apache.hadoop.security.UserGroupInformation.getBestUGI(UserGroupInformation.java:742)
      at org.apache.hadoop.fs.FileSystem.newInstance(FileSystem.java:404)
      Caused by: javax.security.auth.login.LoginException: Unable to obtain Principal Name for authentication
      at com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:841)
      at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:704)
      at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:498)
      at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
      at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
      at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
      at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
      at java.security.AccessController.doPrivileged(Native Method)
      at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
      at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
      at org.apache.hadoop.security.UserGroupInformation.getUGIFromTicketCache(UserGroupInformation.java:788)
      ... 2 more
      
      

      This is reproducible easily in a test cluster with an extremely short ticket life time (e.g. 1 minute)

      Note: HDFS-3608 addresses a similar issue, but in this case, since the ticket cache file itself does not change, fuse couldn't detect & update.

      It looks like it should call UserGroupInformation#loginFromKeytab() in the beginning, similar to how balancer supports keytab based login (HDFS-9804). Thanks Xiao Chen for the idea.

      A quick workaround would have a crontab job that periodically renew the kerberos ticket with a keytab, say every 8 hours.

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned
            weichiu Wei-Chiu Chuang

            Dates

              Created:
              Updated:

              Slack

                Issue deployment