You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ozone.apache.org by "Siyao Meng (Jira)" <ji...@apache.org> on 2020/02/21 03:37:00 UTC
[jira] [Updated] (HDDS-3047) BasicOzoneFileSystem and other classes
should get user's full principal name instead of login name
[ https://issues.apache.org/jira/browse/HDDS-3047?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Siyao Meng updated HDDS-3047:
-----------------------------
Description:
BasicOzoneFileSystem, along with a dozen other classes, are using {{getShortUserName()}}:
{code:java|title=BasicOzoneFileSystem#initialize}
try {
this.userName =
UserGroupInformation.getCurrentUser().getShortUserName();
} catch (IOException e) {
this.userName = OZONE_DEFAULT_USER;
}
{code}
[Github|https://github.com/apache/hadoop-ozone/blob/c9f26ccf9f93a052c5c0c042c57b6f87709597ae/hadoop-ozone/ozonefs/src/main/java/org/apache/hadoop/fs/ozone/BasicOzoneFileSystem.java#L161-L166]
It should use {{getUserName()}} instead.
For quick reference:
{code:java|UserGroupInformation#getUserName}
/**
* Get the user's full principal name.
* @return the user's full principal name.
*/
@InterfaceAudience.Public
@InterfaceStability.Evolving
public String getUserName() {
return user.getName();
}
{code}
{code:java|UserGroupInformation#getShortUserName}
/**
* Get the user's login name.
* @return the user's name up to the first '/' or '@'.
*/
public String getShortUserName() {
return user.getShortName();
}
{code}
This typically wouldn't cause issue if Kerberos is not in use. However, once Kerberos is enabled, a bunch of problems emerge:
1. When Kerberos is enabled, {{getUserName()}} should return full principal name e.g. {{om/om@EXAMPLE.COM}}, but {{getShortUserName()}} will only return login name e.g. {{hadoop}}.
(If {{hadoop.security.auth_to_local}} is set, {{getShortUserName()}} result can become very different from full principal name. e.g. {{hadoop.security.auth_to_local = RULE:[2:$1@$0](.*)s/.*/root/}}, then {{getShortUserName()}} returns {{root}}, while {{getUserName()}} should still give {{om/om@EXAMPLE.COM}}.)
This leads to a problem (with Kerberos) where the user creates a volume with ozone shell ([uses {{getUserName()}}|https://github.com/apache/hadoop-ozone/blob/ecb5bf4df1d80723835a1500d595102f3f861708/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/volume/CreateVolumeHandler.java#L63-L65] internally) then try to list it with {{ObjectStore#listVolumesByUser(null, ...)}} ([uses {{getShortUserName()}} by default|https://github.com/apache/hadoop-ozone/blob/2fa37ef99b8fb4575169ba8326eeb677b3d2ed74/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/ObjectStore.java#L238-L256] when user param is empty or null), the user won't see any volumes because of the mismatch.
I think we should check and fix this in *all* classes that uses {{getShortUserName()}}.
CC [~xyao] [~aengineer] [~arp] [~bharat]
was:
BasicOzoneFileSystem, along with a dozen other classes, are using {{getShortUserName()}}:
{code:java|title=BasicOzoneFileSystem#initialize}
try {
this.userName =
UserGroupInformation.getCurrentUser().getShortUserName();
} catch (IOException e) {
this.userName = OZONE_DEFAULT_USER;
}
{code}
[Github|https://github.com/apache/hadoop-ozone/blob/c9f26ccf9f93a052c5c0c042c57b6f87709597ae/hadoop-ozone/ozonefs/src/main/java/org/apache/hadoop/fs/ozone/BasicOzoneFileSystem.java#L161-L166]
It should use {{getUserName()}} instead.
For quick reference:
{code:java|UserGroupInformation#getUserName}
/**
* Get the user's full principal name.
* @return the user's full principal name.
*/
@InterfaceAudience.Public
@InterfaceStability.Evolving
public String getUserName() {
return user.getName();
}
{code}
{code:java|UserGroupInformation#getShortUserName}
/**
* Get the user's login name.
* @return the user's name up to the first '/' or '@'.
*/
public String getShortUserName() {
return user.getShortName();
}
{code}
This typically wouldn't cause issue if Kerberos is not in use. However, once Kerberos is enabled, a bunch of problems emerge:
1. When Kerberos is enabled, {{getUserName()}} should return full principal name e.g. {{om/om@EXAMPLE.COM}}, but {{getShortUserName()}} will only return login name e.g. {{hadoop}}.
(If {{hadoop.security.auth_to_local}} is set, {{getShortUserName()}} result can become very different from full principal name. e.g. {{hadoop.security.auth_to_local = RULE:[2:$1@$0](.*)s/.*/root/}}, then {{getShortUserName()}} returns {{root}}, while {{getUserName()}} should still give {{om/om@EXAMPLE.COM}}.)
This leads to a problem (with Kerberos) where the user creates a volume with ozone shell ([uses {{getUserName()}}|https://github.com/apache/hadoop-ozone/blob/ecb5bf4df1d80723835a1500d595102f3f861708/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/volume/CreateVolumeHandler.java#L63-L65] internally) then try to list it with {{ObjectStore#listVolumesByUser(null, ...)}} ([uses {{getShortUserName()}} by default|https://github.com/apache/hadoop-ozone/blob/2fa37ef99b8fb4575169ba8326eeb677b3d2ed74/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/ObjectStore.java#L238-L256] when user param is empty or null), the user won't see any volumes because of the mismatch.
I think we should check and fix this in all classes that uses {{getShortUserName()}}.
CC [~xyao] [~aengineer] [~arp] [~bharat]
> BasicOzoneFileSystem and other classes should get user's full principal name instead of login name
> --------------------------------------------------------------------------------------------------
>
> Key: HDDS-3047
> URL: https://issues.apache.org/jira/browse/HDDS-3047
> Project: Hadoop Distributed Data Store
> Issue Type: Bug
> Components: Ozone Client
> Reporter: Siyao Meng
> Assignee: Siyao Meng
> Priority: Major
>
> BasicOzoneFileSystem, along with a dozen other classes, are using {{getShortUserName()}}:
> {code:java|title=BasicOzoneFileSystem#initialize}
> try {
> this.userName =
> UserGroupInformation.getCurrentUser().getShortUserName();
> } catch (IOException e) {
> this.userName = OZONE_DEFAULT_USER;
> }
> {code}
> [Github|https://github.com/apache/hadoop-ozone/blob/c9f26ccf9f93a052c5c0c042c57b6f87709597ae/hadoop-ozone/ozonefs/src/main/java/org/apache/hadoop/fs/ozone/BasicOzoneFileSystem.java#L161-L166]
> It should use {{getUserName()}} instead.
> For quick reference:
> {code:java|UserGroupInformation#getUserName}
> /**
> * Get the user's full principal name.
> * @return the user's full principal name.
> */
> @InterfaceAudience.Public
> @InterfaceStability.Evolving
> public String getUserName() {
> return user.getName();
> }
> {code}
> {code:java|UserGroupInformation#getShortUserName}
> /**
> * Get the user's login name.
> * @return the user's name up to the first '/' or '@'.
> */
> public String getShortUserName() {
> return user.getShortName();
> }
> {code}
> This typically wouldn't cause issue if Kerberos is not in use. However, once Kerberos is enabled, a bunch of problems emerge:
> 1. When Kerberos is enabled, {{getUserName()}} should return full principal name e.g. {{om/om@EXAMPLE.COM}}, but {{getShortUserName()}} will only return login name e.g. {{hadoop}}.
> (If {{hadoop.security.auth_to_local}} is set, {{getShortUserName()}} result can become very different from full principal name. e.g. {{hadoop.security.auth_to_local = RULE:[2:$1@$0](.*)s/.*/root/}}, then {{getShortUserName()}} returns {{root}}, while {{getUserName()}} should still give {{om/om@EXAMPLE.COM}}.)
> This leads to a problem (with Kerberos) where the user creates a volume with ozone shell ([uses {{getUserName()}}|https://github.com/apache/hadoop-ozone/blob/ecb5bf4df1d80723835a1500d595102f3f861708/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/volume/CreateVolumeHandler.java#L63-L65] internally) then try to list it with {{ObjectStore#listVolumesByUser(null, ...)}} ([uses {{getShortUserName()}} by default|https://github.com/apache/hadoop-ozone/blob/2fa37ef99b8fb4575169ba8326eeb677b3d2ed74/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/ObjectStore.java#L238-L256] when user param is empty or null), the user won't see any volumes because of the mismatch.
> I think we should check and fix this in *all* classes that uses {{getShortUserName()}}.
> CC [~xyao] [~aengineer] [~arp] [~bharat]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: ozone-issues-help@hadoop.apache.org