You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-dev@hadoop.apache.org by "Yicong Cai (Jira)" <ji...@apache.org> on 2019/08/20 03:28:00 UTC
[jira] [Created] (HADOOP-16521) Subject has a contradiction between
proxy user and real user
Yicong Cai created HADOOP-16521:
-----------------------------------
Summary: Subject has a contradiction between proxy user and real user
Key: HADOOP-16521
URL: https://issues.apache.org/jira/browse/HADOOP-16521
Project: Hadoop Common
Issue Type: Bug
Reporter: Yicong Cai
In the method UserGroupInformation#loginUserFromSubject, if you specify ProxyUser with HADOOP_PROXY_USER, and create a Proxy UGI instance, the valid Credentials are included in the User's PrivateCredentials. The UGI information is as follows:
{code:java}
proxyUGI
|
|--subject 1
| |
| |--principals
| | |
| | |--user
| | |
| | --real user
| |
| --privCredentials(all cred)
|
--proxy user
{code}
If you first login Real User and then use UserGroupInformation#createProxyUser to create a Proxy UGI, the valid Credentials information is included in RealUser's subject PrivateCredentials. The UGI information is as follows:
{code:java}
proxyUGI
|
|--subject 1
| |
| |--principals
| | |
| | |--user
| | |
| | --real user
| | |
| | --subject 2
| | |
| | --privCredentials(all cred)
| |
| --privCredentials(empty)
|
--proxy user{code}
Use the proxy user in the HDFS FileSystem to perform token-related operations.
However, in the RPC Client Connection, use the token in RealUser for SaslRpcClient#saslConnect.
So the main contradiction is, should ProxyUser's real Credentials information be placed in ProxyUGI's subject, or should it be placed in RealUser's subject?
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-dev-help@hadoop.apache.org