[
https://issues.apache.org/jira/browse/HADOOP-13805?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Xiao Chen updated HADOOP-13805:
-------------------------------
Attachment: HADOOP-13805.05.patch
Thanks for the comment [~tucu00].
{quote}
kinit -R assumes the TGT can still be renewed, if it reached it max life time
it is not. So this will delay the failure until the TGT cannot be renewed
anymore;
{quote}
Looking at the [initial
commit|https://github.com/apache/hadoop/commit/1a6ed79ebf6649d4f0828b8c2adff26d0f79832f#diff-8da26f813ae9e87bbf0fb9abb349acc2R445],
I think that's what this renewal thread is supposed to do - {{kinit -R}} until
the TGT reach its max lifetime. After that, it will fail and seems current code
isn't considering it - no {{-kt <keytab>}} is provided to the command.
Verifying this from shell, {{kinit -R -kt <keytab>}} will get a new TGT to keep
credentials updated, but feels like we should split that improvement to a new
jira.
Let's move this part to HADOOP-13807 if you're comfortable.
Back to this jira, I think the issue can be fixed in another way. Current patch
breaks {{TestKMS#testTGTRenewal}}, and the usage there seems reasonable.
So maybe we can fix it this way - the state of whether a login is external
shouldn't be a instance variable of the UGI, but a static variable reflecting
what loginFromXXX was performed to log the user in. Therefore, it can track the
initial login and perform relogins accordingly. This is different than current
patch, because UGI itself instantiates new UGI objects in various calls (e.g.
{{getCurrentUser}}), and performs {{loginUserFromSubject}} internally (e.g.
{{getLoginUser(null)}}). Having a static variable to reflect the static
{{loginUserFromXXX}} methods feels cleaner.
Patch has the proposed fix, and didn't have to change any unit test. Appreciate
your continued feedback!
> UGI.getCurrentUser() fails if user does not have a keytab associated
> --------------------------------------------------------------------
>
> Key: HADOOP-13805
> URL: https://issues.apache.org/jira/browse/HADOOP-13805
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.8.0, 2.9.0, 3.0.0-alpha2
> Reporter: Alejandro Abdelnur
> Assignee: Xiao Chen
> Attachments: HADOOP-13805.01.patch, HADOOP-13805.02.patch,
> HADOOP-13805.03.patch, HADOOP-13805.04.patch, HADOOP-13805.05.patch
>
>
> HADOOP-13558 intention was to avoid UGI from trying to renew the TGT when the
> UGI is created from an existing Subject as in that case the keytab is not
> 'own' by UGI but by the creator of the Subject.
> In HADOOP-13558 we introduced a new private UGI constructor
> {{UserGroupInformation(Subject subject, final boolean externalKeyTab)}} and
> we use with TRUE only when doing a {{UGI.loginUserFromSubject()}}.
> The problem is, when we call {{UGI.getCurrentUser()}}, and UGI was created
> via a Subject (via the {{UGI.loginUserFromSubject()}} method), we call {{new
> UserGroupInformation(subject)}} which will delegate to
> {{UserGroupInformation(Subject subject, final boolean externalKeyTab)}} and
> that will use externalKeyTab == *FALSE*.
> Then the UGI returned by {{UGI.getCurrentUser()}} will attempt to login using
> a non-existing keytab if the TGT expired.
> This problem is experienced in {{KMSClientProvider}} when used by the HDFS
> filesystem client accessing an an encryption zone.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
