[
https://issues.apache.org/jira/browse/HADOOP-15068?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16269743#comment-16269743
]
Daryn Sharp commented on HADOOP-15068:
--------------------------------------
I wanted to fix this very issue years ago but forget why it is/was tricky to
fix than expected. I vaguely recall an auth_to_local issue, perhaps when
re-parsing the short name of a full principal. Maybe it'll turn up if you make
the proposed change and run all the security tests. Perhaps it was in yarn.
Be careful disturbing the sleeping security dragons.
FWIW, the inconsistencies run a bit deeper. Cancelling a token isn't entirely
correct either. It checks the auth principal's short name against the renewer
field, but the full auth principal against the owner. So renewer is assumed
short, owner is assumed full. As a normal auth'ed user, I can cancel tokens
directly acquired by me because the owner is my full principal. Yet I can't
cancel proxy tokens that "are me" because a proxy token's owner is the short
name which doesn't match my full principal. Ugh.
> cancelToken and renewToken should use shortUserName consistently
> ----------------------------------------------------------------
>
> Key: HADOOP-15068
> URL: https://issues.apache.org/jira/browse/HADOOP-15068
> Project: Hadoop Common
> Issue Type: Improvement
> Components: common
> Affects Versions: 2.8.2
> Reporter: Vihang Karajgaonkar
>
> {{AbstractDelegationTokenSecretManager}} is used by many external projects
> including Hive. This class provides implementations of renewToken and
> cancelToken which are used for the delegation token management. The methods
> are semantically inconsistent. Specifically, when you call cancelToken, the
> string value of the canceller is used to get the Kerberos shortname and then
> compared with the renewer value of the token to be cancelled. While in case
> of renewToken, the string value which is passed in is used directly to
> compare with the renewer value of the token.
> This inconsistency means that applications need to know about this subtle
> difference and pass in the shortname while renewing the token, while it can
> pass the full kerberos username during cancellation. Can we change the
> renewToken method such that it uses the shortName similar to the cancelToken
> method?
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
