[
https://issues.apache.org/jira/browse/HADOOP-9841?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13733552#comment-13733552
]
Kai Zheng commented on HADOOP-9841:
-----------------------------------
bq.we must carefully consider the ramifications of allowing anything to change
the JAAS conf at runtime.
I agree, but this does allow changing JAAS conf in more a controlled way
instead of doing so via global variables. Since current UGI needs to add login
conf and change login options dynamically as seen in the existing code, I was
thinking the provided manageable interface would make it more convenient. The
new implementation guarantees use of fresh config and options in each login
session. To avoid misuse, do you think it’s helpful to add some comments as
warning for the relevant interface?
bq.extreme example of my concern: ...
I understand your concern. Do you think it's helpful if I log all the JAAS
config options before login() call? This would be very easy and the logging can
be added at the base class JaasLoginEntry.
bq.The issue was tracked down to a service loaded class with a static block
that changed the global JAAS config.
That was unfortunate. So we would try to avoid global JAAS config. The config
change should be easily tracked in a manageable approach.
bq.At first glance, it's perhaps a bit too abstracted just for the purpose of
adding the jaas debug option?
We need the abstract base class JaasLoginEntry essentially, and the JAAS debug
option is good to be there since it's needed by all concrete JAAS login entries.
> Manageable login configuration and options for UGI
> --------------------------------------------------
>
> Key: HADOOP-9841
> URL: https://issues.apache.org/jira/browse/HADOOP-9841
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Kai Zheng
> Assignee: Kai Zheng
> Labels: Rhino
> Attachments: HADOOP-9841.patch
>
>
> As discussed in HADOOP-9797, it would be better to improve UGI incrementally.
> Currently in UGI implementation, it’s not easy to add or change login
> configuration and the options for relevant login modules dynamically. This is
> to address the issue, make login configuration manageable, and convert
> existing JAAS login configurations with their login module options into new
> way. Double check to make sure the converting is equivalent and doesn’t break.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
