You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Daryn Sharp (JIRA)" <ji...@apache.org> on 2017/11/28 23:50:01 UTC
[jira] [Commented] (HADOOP-15068) cancelToken and renewToken should
use shortUserName consistently
[ https://issues.apache.org/jira/browse/HADOOP-15068?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16269743#comment-16269743 ]
Daryn Sharp commented on HADOOP-15068:
--------------------------------------
I wanted to fix this very issue years ago but forget why it is/was tricky to fix than expected. I vaguely recall an auth_to_local issue, perhaps when re-parsing the short name of a full principal. Maybe it'll turn up if you make the proposed change and run all the security tests. Perhaps it was in yarn. Be careful disturbing the sleeping security dragons.
FWIW, the inconsistencies run a bit deeper. Cancelling a token isn't entirely correct either. It checks the auth principal's short name against the renewer field, but the full auth principal against the owner. So renewer is assumed short, owner is assumed full. As a normal auth'ed user, I can cancel tokens directly acquired by me because the owner is my full principal. Yet I can't cancel proxy tokens that "are me" because a proxy token's owner is the short name which doesn't match my full principal. Ugh.
> cancelToken and renewToken should use shortUserName consistently
> ----------------------------------------------------------------
>
> Key: HADOOP-15068
> URL: https://issues.apache.org/jira/browse/HADOOP-15068
> Project: Hadoop Common
> Issue Type: Improvement
> Components: common
> Affects Versions: 2.8.2
> Reporter: Vihang Karajgaonkar
>
> {{AbstractDelegationTokenSecretManager}} is used by many external projects including Hive. This class provides implementations of renewToken and cancelToken which are used for the delegation token management. The methods are semantically inconsistent. Specifically, when you call cancelToken, the string value of the canceller is used to get the Kerberos shortname and then compared with the renewer value of the token to be cancelled. While in case of renewToken, the string value which is passed in is used directly to compare with the renewer value of the token.
> This inconsistency means that applications need to know about this subtle difference and pass in the shortname while renewing the token, while it can pass the full kerberos username during cancellation. Can we change the renewToken method such that it uses the shortName similar to the cancelToken method?
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org