You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by we...@apache.org on 2020/02/27 16:02:43 UTC
[hadoop] branch branch-3.2 updated: HDFS-14668 Support Fuse with
Users from multiple Security Realms (#1739)
This is an automated email from the ASF dual-hosted git repository.
weichiu pushed a commit to branch branch-3.2
in repository https://gitbox.apache.org/repos/asf/hadoop.git
The following commit(s) were added to refs/heads/branch-3.2 by this push:
new e42ac48 HDFS-14668 Support Fuse with Users from multiple Security Realms (#1739)
e42ac48 is described below
commit e42ac486e7eecb6a24ac95f1ceaf61d24060adef
Author: Istvan Fajth <pi...@cloudera.com>
AuthorDate: Thu Feb 27 16:48:15 2020 +0100
HDFS-14668 Support Fuse with Users from multiple Security Realms (#1739)
(cherry picked from commit 57aa048516f5c5fe02441d213b52ce1bbeddf823)
---
.../src/main/native/fuse-dfs/fuse_connect.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/hadoop-hdfs-project/hadoop-hdfs-native-client/src/main/native/fuse-dfs/fuse_connect.c b/hadoop-hdfs-project/hadoop-hdfs-native-client/src/main/native/fuse-dfs/fuse_connect.c
index f08917a..103ed4e 100644
--- a/hadoop-hdfs-project/hadoop-hdfs-native-client/src/main/native/fuse-dfs/fuse_connect.c
+++ b/hadoop-hdfs-project/hadoop-hdfs-native-client/src/main/native/fuse-dfs/fuse_connect.c
@@ -476,7 +476,6 @@ static int fuseNewConnect(const char *usrname, struct fuse_context *ctx,
if (gPort) {
hdfsBuilderSetNameNodePort(bld, gPort);
}
- hdfsBuilderSetUserName(bld, usrname);
if (gHdfsAuthConf == AUTH_CONF_KERBEROS) {
findKerbTicketCachePath(ctx, kpath, sizeof(kpath));
if (stat(kpath, &st) < 0) {
@@ -495,6 +494,17 @@ static int fuseNewConnect(const char *usrname, struct fuse_context *ctx,
ret = -ENOMEM;
goto error;
}
+ } else {
+ // earlier the username was set to the builder always, but due to
+ // HADOOP-9747 if we specify the username in case of kerberos authentication
+ // the username will be used as the principal name, and that will conflict
+ // with ticket cache based authentication as we have the OS user name here
+ // not the real kerberos principal name. So with SIMPLE auth we pass on the
+ // OS username still, and the UGI will use that as the username, but with
+ // kerberos authentication we do not pass in the OS username and let the
+ // authentication happen with the principal who's ticket is in the ticket
+ // cache. (HDFS-15034 is still a possible improvement for SIMPLE AUTH.)
+ hdfsBuilderSetUserName(bld, usrname);
}
conn->usrname = strdup(usrname);
if (!conn->usrname) {
---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org