[jira] [Commented] (HADOOP-11176) KMSClientProvider authentication fails when both currentUgi and loginUgi are a proxied user

Thu, 09 Oct 2014 15:21:47 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-11176?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14165869#comment-14165869
 ] 

Aaron T. Myers commented on HADOOP-11176:
-----------------------------------------

The patch looks pretty good to me, and it's a good catch. I have one nit and a 
few small comments:

Comments:

# The variable name "{{loginUgi}}" is now a bit misleading, since it's not 
necessarily actually attempting to refer to the login UGI of the process where 
this {{KMSClientProvider}} is running. Suggest renaming it to something like 
"serverUgi" or something more clear.
# I'm not crazy about re-assigning the {{loginUgi}} instance variable in the 
{{createConnection}} method. What if at some point later in the life of this 
{{KMSClientProvider}} some authentication method other than PROXY is used? I 
suggest making that instance var final, maybe renaming it to "{{ugiAtCreate}}" 
or something, and then setting a local var appropriately in 
{{createConnection}} to the correct UGI and using that.

Nit:

# There's two semicolons at the end of this line:
{code}
+        loginUgi = UserGroupInformation.getCurrentUser().getRealUser();;
{code}

+1 once these are addressed.

Thanks a lot, Arun.

> KMSClientProvider authentication fails when both currentUgi and loginUgi are 
> a proxied user
> -------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-11176
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11176
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: Arun Suresh
>            Assignee: Arun Suresh
>              Labels: encryption
>         Attachments: HADOOP-11176.1.patch, HADOOP-11176.2.patch
>
>
> In a secure environment, with kerberos, when the KMSClientProvider instance 
> is created in the context of a proxied user, The initial SPNEGO handshake is 
> made with the currentUser (the proxied user) as the Principal.. this will 
> fail, since the proxied user is not logged in.
> The handshake must be done using the real user.
>  



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to