You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Aaron T. Myers (JIRA)" <ji...@apache.org> on 2011/04/17 21:21:05 UTC
[jira] [Created] (HADOOP-7229) Absolute path to kinit in
auto-renewal thread
Absolute path to kinit in auto-renewal thread
---------------------------------------------
Key: HADOOP-7229
URL: https://issues.apache.org/jira/browse/HADOOP-7229
Project: Hadoop Common
Issue Type: Bug
Components: security
Affects Versions: 0.21.0, 0.22.0, 0.23.0
Reporter: Aaron T. Myers
Assignee: Aaron T. Myers
Fix For: 0.23.0
In the auto-renewal thread for Kerberos credentials in {{UserGroupInformation}}, the path to {{kinit}} is defaulted to {{/usr/kerberos/bin/kinit}}. This is the default path to {{kinit}} on RHEL/CentOS for MIT krb5, but not on Debian/Ubuntu (and perhaps others OSes.)
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7229) Absolute path to kinit in
auto-renewal thread
Posted by "Todd Lipcon (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13022543#comment-13022543 ]
Todd Lipcon commented on HADOOP-7229:
-------------------------------------
+1, thanks for the updates, Aaron.
> Absolute path to kinit in auto-renewal thread
> ---------------------------------------------
>
> Key: HADOOP-7229
> URL: https://issues.apache.org/jira/browse/HADOOP-7229
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.21.0, 0.22.0, 0.23.0
> Reporter: Aaron T. Myers
> Assignee: Aaron T. Myers
> Fix For: 0.23.0
>
> Attachments: hadoop-7229.0.patch, hadoop-7229.1.patch, hadoop-7229.2.patch
>
>
> In the auto-renewal thread for Kerberos credentials in {{UserGroupInformation}}, the path to {{kinit}} is defaulted to {{/usr/kerberos/bin/kinit}}. This is the default path to {{kinit}} on RHEL/CentOS for MIT krb5, but not on Debian/Ubuntu (and perhaps others OSes.)
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-7229) Absolute path to kinit in
auto-renewal thread
Posted by "Aaron T. Myers (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7229?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Aaron T. Myers updated HADOOP-7229:
-----------------------------------
Release Note: When Hadoop's Kerberos integration is enabled, it is now required that either {{kinit}} be on the path for user accounts running the Hadoop client, or that the {{hadoop.kerberos.kinit.command}} configuration option be manually set to the absolute path to {{kinit}}. (was: It is now required that either {{kinit}} be on the path for user accounts running the Hadoop client, or that the {{hadoop.kerberos.kinit.command}} configuration option be manually set to the absolute path to {{kinit}}.)
Per an offline suggestion from Eli, I'm amending the release note to make it clear that this is only necessary to configure when security is enabled.
> Absolute path to kinit in auto-renewal thread
> ---------------------------------------------
>
> Key: HADOOP-7229
> URL: https://issues.apache.org/jira/browse/HADOOP-7229
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.21.0, 0.22.0, 0.23.0
> Reporter: Aaron T. Myers
> Assignee: Aaron T. Myers
> Fix For: 0.22.0
>
> Attachments: hadoop-7229.0.patch, hadoop-7229.1.patch, hadoop-7229.2.patch
>
>
> In the auto-renewal thread for Kerberos credentials in {{UserGroupInformation}}, the path to {{kinit}} is defaulted to {{/usr/kerberos/bin/kinit}}. This is the default path to {{kinit}} on RHEL/CentOS for MIT krb5, but not on Debian/Ubuntu (and perhaps others OSes.)
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7229) Absolute path to kinit in
auto-renewal thread
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13022563#comment-13022563 ]
Hudson commented on HADOOP-7229:
--------------------------------
Integrated in Hadoop-Common-trunk-Commit #560 (See [https://builds.apache.org/hudson/job/Hadoop-Common-trunk-Commit/560/])
HADOOP-7229. Do not default to an absolute path for kinit in Kerberos auto-renewal thread. Contributed by Aaron T. Myers.
> Absolute path to kinit in auto-renewal thread
> ---------------------------------------------
>
> Key: HADOOP-7229
> URL: https://issues.apache.org/jira/browse/HADOOP-7229
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.21.0, 0.22.0, 0.23.0
> Reporter: Aaron T. Myers
> Assignee: Aaron T. Myers
> Fix For: 0.22.0
>
> Attachments: hadoop-7229.0.patch, hadoop-7229.1.patch, hadoop-7229.2.patch
>
>
> In the auto-renewal thread for Kerberos credentials in {{UserGroupInformation}}, the path to {{kinit}} is defaulted to {{/usr/kerberos/bin/kinit}}. This is the default path to {{kinit}} on RHEL/CentOS for MIT krb5, but not on Debian/Ubuntu (and perhaps others OSes.)
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-7229) Absolute path to kinit in
auto-renewal thread
Posted by "Aaron T. Myers (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7229?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Aaron T. Myers updated HADOOP-7229:
-----------------------------------
Attachment: hadoop-7229.0.patch
Trivial patch to remove the absolute path to {{kinit}}, and instead rely on {{kinit}} being in the {{PATH}} of the process.
> Absolute path to kinit in auto-renewal thread
> ---------------------------------------------
>
> Key: HADOOP-7229
> URL: https://issues.apache.org/jira/browse/HADOOP-7229
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.21.0, 0.22.0, 0.23.0
> Reporter: Aaron T. Myers
> Assignee: Aaron T. Myers
> Fix For: 0.23.0
>
> Attachments: hadoop-7229.0.patch
>
>
> In the auto-renewal thread for Kerberos credentials in {{UserGroupInformation}}, the path to {{kinit}} is defaulted to {{/usr/kerberos/bin/kinit}}. This is the default path to {{kinit}} on RHEL/CentOS for MIT krb5, but not on Debian/Ubuntu (and perhaps others OSes.)
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7229) Absolute path to kinit in
auto-renewal thread
Posted by "Todd Lipcon (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13021962#comment-13021962 ]
Todd Lipcon commented on HADOOP-7229:
-------------------------------------
While we're at it, would you mind adding the hadoop.kerberos.kinit.command config option to core-default.xml? Now that it's mentioned by the release notes, I think it's worth putting in there with an explanation that it should be overridden if not on the PATH
> Absolute path to kinit in auto-renewal thread
> ---------------------------------------------
>
> Key: HADOOP-7229
> URL: https://issues.apache.org/jira/browse/HADOOP-7229
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.21.0, 0.22.0, 0.23.0
> Reporter: Aaron T. Myers
> Assignee: Aaron T. Myers
> Fix For: 0.23.0
>
> Attachments: hadoop-7229.0.patch
>
>
> In the auto-renewal thread for Kerberos credentials in {{UserGroupInformation}}, the path to {{kinit}} is defaulted to {{/usr/kerberos/bin/kinit}}. This is the default path to {{kinit}} on RHEL/CentOS for MIT krb5, but not on Debian/Ubuntu (and perhaps others OSes.)
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-7229) Absolute path to kinit in
auto-renewal thread
Posted by "Todd Lipcon (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7229?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Todd Lipcon updated HADOOP-7229:
--------------------------------
Resolution: Fixed
Fix Version/s: (was: 0.23.0)
0.22.0
Hadoop Flags: [Incompatible change, Reviewed] (was: [Incompatible change])
Status: Resolved (was: Patch Available)
Committed to 0.22 and 0.23
> Absolute path to kinit in auto-renewal thread
> ---------------------------------------------
>
> Key: HADOOP-7229
> URL: https://issues.apache.org/jira/browse/HADOOP-7229
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.21.0, 0.22.0, 0.23.0
> Reporter: Aaron T. Myers
> Assignee: Aaron T. Myers
> Fix For: 0.22.0
>
> Attachments: hadoop-7229.0.patch, hadoop-7229.1.patch, hadoop-7229.2.patch
>
>
> In the auto-renewal thread for Kerberos credentials in {{UserGroupInformation}}, the path to {{kinit}} is defaulted to {{/usr/kerberos/bin/kinit}}. This is the default path to {{kinit}} on RHEL/CentOS for MIT krb5, but not on Debian/Ubuntu (and perhaps others OSes.)
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-7229) Absolute path to kinit in
auto-renewal thread
Posted by "Aaron T. Myers (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7229?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Aaron T. Myers updated HADOOP-7229:
-----------------------------------
Attachment: hadoop-7229.2.patch
Good catch, Todd. Updated patch.
> Absolute path to kinit in auto-renewal thread
> ---------------------------------------------
>
> Key: HADOOP-7229
> URL: https://issues.apache.org/jira/browse/HADOOP-7229
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.21.0, 0.22.0, 0.23.0
> Reporter: Aaron T. Myers
> Assignee: Aaron T. Myers
> Fix For: 0.23.0
>
> Attachments: hadoop-7229.0.patch, hadoop-7229.1.patch, hadoop-7229.2.patch
>
>
> In the auto-renewal thread for Kerberos credentials in {{UserGroupInformation}}, the path to {{kinit}} is defaulted to {{/usr/kerberos/bin/kinit}}. This is the default path to {{kinit}} on RHEL/CentOS for MIT krb5, but not on Debian/Ubuntu (and perhaps others OSes.)
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7229) Absolute path to kinit in
auto-renewal thread
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13022955#comment-13022955 ]
Hudson commented on HADOOP-7229:
--------------------------------
Integrated in Hadoop-Common-22-branch #40 (See [https://builds.apache.org/hudson/job/Hadoop-Common-22-branch/40/])
HADOOP-7229. Do not default to an absolute path for kinit in Kerberos auto-renewal thread. Contributed by Aaron T. Myers.
> Absolute path to kinit in auto-renewal thread
> ---------------------------------------------
>
> Key: HADOOP-7229
> URL: https://issues.apache.org/jira/browse/HADOOP-7229
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.21.0, 0.22.0, 0.23.0
> Reporter: Aaron T. Myers
> Assignee: Aaron T. Myers
> Fix For: 0.22.0
>
> Attachments: hadoop-7229.0.patch, hadoop-7229.1.patch, hadoop-7229.2.patch
>
>
> In the auto-renewal thread for Kerberos credentials in {{UserGroupInformation}}, the path to {{kinit}} is defaulted to {{/usr/kerberos/bin/kinit}}. This is the default path to {{kinit}} on RHEL/CentOS for MIT krb5, but not on Debian/Ubuntu (and perhaps others OSes.)
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7229) Absolute path to kinit in
auto-renewal thread
Posted by "Hadoop QA (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13022417#comment-13022417 ]
Hadoop QA commented on HADOOP-7229:
-----------------------------------
-1 overall. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12476946/hadoop-7229.2.patch
against trunk revision 1095121.
+1 @author. The patch does not contain any @author tags.
-1 tests included. The patch doesn't appear to include any new or modified tests.
Please justify why no new tests are needed for this patch.
Also please list what manual steps were performed to verify this patch.
+1 javadoc. The javadoc tool did not generate any warning messages.
+1 javac. The applied patch does not increase the total number of javac compiler warnings.
+1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.
+1 release audit. The applied patch does not increase the total number of release audit warnings.
+1 core tests. The patch passed core unit tests.
+1 contrib tests. The patch passed contrib unit tests.
+1 system test framework. The patch passed system test framework compile.
Test results: https://builds.apache.org/hudson/job/PreCommit-HADOOP-Build/369//testReport/
Findbugs warnings: https://builds.apache.org/hudson/job/PreCommit-HADOOP-Build/369//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
Console output: https://builds.apache.org/hudson/job/PreCommit-HADOOP-Build/369//console
This message is automatically generated.
> Absolute path to kinit in auto-renewal thread
> ---------------------------------------------
>
> Key: HADOOP-7229
> URL: https://issues.apache.org/jira/browse/HADOOP-7229
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.21.0, 0.22.0, 0.23.0
> Reporter: Aaron T. Myers
> Assignee: Aaron T. Myers
> Fix For: 0.23.0
>
> Attachments: hadoop-7229.0.patch, hadoop-7229.1.patch, hadoop-7229.2.patch
>
>
> In the auto-renewal thread for Kerberos credentials in {{UserGroupInformation}}, the path to {{kinit}} is defaulted to {{/usr/kerberos/bin/kinit}}. This is the default path to {{kinit}} on RHEL/CentOS for MIT krb5, but not on Debian/Ubuntu (and perhaps others OSes.)
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7229) Absolute path to kinit in
auto-renewal thread
Posted by "Hadoop QA (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13021466#comment-13021466 ]
Hadoop QA commented on HADOOP-7229:
-----------------------------------
-1 overall. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12476571/hadoop-7229.0.patch
against trunk revision 1094750.
+1 @author. The patch does not contain any @author tags.
-1 tests included. The patch doesn't appear to include any new or modified tests.
Please justify why no new tests are needed for this patch.
Also please list what manual steps were performed to verify this patch.
+1 javadoc. The javadoc tool did not generate any warning messages.
+1 javac. The applied patch does not increase the total number of javac compiler warnings.
+1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.
+1 release audit. The applied patch does not increase the total number of release audit warnings.
+1 core tests. The patch passed core unit tests.
+1 contrib tests. The patch passed contrib unit tests.
+1 system test framework. The patch passed system test framework compile.
Test results: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/352//testReport/
Findbugs warnings: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/352//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
Console output: https://hudson.apache.org/hudson/job/PreCommit-HADOOP-Build/352//console
This message is automatically generated.
> Absolute path to kinit in auto-renewal thread
> ---------------------------------------------
>
> Key: HADOOP-7229
> URL: https://issues.apache.org/jira/browse/HADOOP-7229
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.21.0, 0.22.0, 0.23.0
> Reporter: Aaron T. Myers
> Assignee: Aaron T. Myers
> Fix For: 0.23.0
>
> Attachments: hadoop-7229.0.patch
>
>
> In the auto-renewal thread for Kerberos credentials in {{UserGroupInformation}}, the path to {{kinit}} is defaulted to {{/usr/kerberos/bin/kinit}}. This is the default path to {{kinit}} on RHEL/CentOS for MIT krb5, but not on Debian/Ubuntu (and perhaps others OSes.)
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7229) Absolute path to kinit in
auto-renewal thread
Posted by "Todd Lipcon (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13022408#comment-13022408 ]
Todd Lipcon commented on HADOOP-7229:
-------------------------------------
Hey Aaron. Sorry, one nit -- the renewal thread is explicitly *not* used for keytab-based logins:
{code}
if (user.getAuthenticationMethod() == AuthenticationMethod.KERBEROS &&
!isKeytab) {
Thread t = new Thread(new Runnable() {
{code}
So the docs should not reference NN/JT. Typically the use case is for users running long-running processes which need to interact with Hadoop over the course of many hours without the user manually renewing the ticket.
> Absolute path to kinit in auto-renewal thread
> ---------------------------------------------
>
> Key: HADOOP-7229
> URL: https://issues.apache.org/jira/browse/HADOOP-7229
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.21.0, 0.22.0, 0.23.0
> Reporter: Aaron T. Myers
> Assignee: Aaron T. Myers
> Fix For: 0.23.0
>
> Attachments: hadoop-7229.0.patch, hadoop-7229.1.patch
>
>
> In the auto-renewal thread for Kerberos credentials in {{UserGroupInformation}}, the path to {{kinit}} is defaulted to {{/usr/kerberos/bin/kinit}}. This is the default path to {{kinit}} on RHEL/CentOS for MIT krb5, but not on Debian/Ubuntu (and perhaps others OSes.)
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7229) Absolute path to kinit in
auto-renewal thread
Posted by "Owen O'Malley (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13022397#comment-13022397 ]
Owen O'Malley commented on HADOOP-7229:
---------------------------------------
+1 with the addition of the option to the core-default.xml
> Absolute path to kinit in auto-renewal thread
> ---------------------------------------------
>
> Key: HADOOP-7229
> URL: https://issues.apache.org/jira/browse/HADOOP-7229
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.21.0, 0.22.0, 0.23.0
> Reporter: Aaron T. Myers
> Assignee: Aaron T. Myers
> Fix For: 0.23.0
>
> Attachments: hadoop-7229.0.patch
>
>
> In the auto-renewal thread for Kerberos credentials in {{UserGroupInformation}}, the path to {{kinit}} is defaulted to {{/usr/kerberos/bin/kinit}}. This is the default path to {{kinit}} on RHEL/CentOS for MIT krb5, but not on Debian/Ubuntu (and perhaps others OSes.)
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7229) Absolute path to kinit in
auto-renewal thread
Posted by "Owen O'Malley (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13021098#comment-13021098 ]
Owen O'Malley commented on HADOOP-7229:
---------------------------------------
This is at the very least an incompatible change, since any site that doesn't have kinit on the hdfs and mapred account's path will break.
That said, I think it is the right direction.
Please update the release note field in the jira to describe that.
> Absolute path to kinit in auto-renewal thread
> ---------------------------------------------
>
> Key: HADOOP-7229
> URL: https://issues.apache.org/jira/browse/HADOOP-7229
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.21.0, 0.22.0, 0.23.0
> Reporter: Aaron T. Myers
> Assignee: Aaron T. Myers
> Fix For: 0.23.0
>
> Attachments: hadoop-7229.0.patch
>
>
> In the auto-renewal thread for Kerberos credentials in {{UserGroupInformation}}, the path to {{kinit}} is defaulted to {{/usr/kerberos/bin/kinit}}. This is the default path to {{kinit}} on RHEL/CentOS for MIT krb5, but not on Debian/Ubuntu (and perhaps others OSes.)
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-7229) Absolute path to kinit in
auto-renewal thread
Posted by "Aaron T. Myers (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7229?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Aaron T. Myers updated HADOOP-7229:
-----------------------------------
Release Note: It is now required that either {{kinit}} be on the path for both the {{hdfs}} and {{mapred}} user accounts, or that the {{hadoop.kerberos.kinit.command}} configuration option be manually set to the absolute path to {{kinit}}.
Hadoop Flags: [Incompatible change]
Thanks a lot for the review/comments, Owen. I've updated the release note and marked this as an incompatible change.
> Absolute path to kinit in auto-renewal thread
> ---------------------------------------------
>
> Key: HADOOP-7229
> URL: https://issues.apache.org/jira/browse/HADOOP-7229
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.21.0, 0.22.0, 0.23.0
> Reporter: Aaron T. Myers
> Assignee: Aaron T. Myers
> Fix For: 0.23.0
>
> Attachments: hadoop-7229.0.patch
>
>
> In the auto-renewal thread for Kerberos credentials in {{UserGroupInformation}}, the path to {{kinit}} is defaulted to {{/usr/kerberos/bin/kinit}}. This is the default path to {{kinit}} on RHEL/CentOS for MIT krb5, but not on Debian/Ubuntu (and perhaps others OSes.)
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7229) Absolute path to kinit in
auto-renewal thread
Posted by "Hadoop QA (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13022540#comment-13022540 ]
Hadoop QA commented on HADOOP-7229:
-----------------------------------
-1 overall. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12476946/hadoop-7229.2.patch
against trunk revision 1095121.
+1 @author. The patch does not contain any @author tags.
-1 tests included. The patch doesn't appear to include any new or modified tests.
Please justify why no new tests are needed for this patch.
Also please list what manual steps were performed to verify this patch.
+1 javadoc. The javadoc tool did not generate any warning messages.
+1 javac. The applied patch does not increase the total number of javac compiler warnings.
+1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.
+1 release audit. The applied patch does not increase the total number of release audit warnings.
+1 core tests. The patch passed core unit tests.
+1 contrib tests. The patch passed contrib unit tests.
+1 system test framework. The patch passed system test framework compile.
Test results: https://builds.apache.org/hudson/job/PreCommit-HADOOP-Build/370//testReport/
Findbugs warnings: https://builds.apache.org/hudson/job/PreCommit-HADOOP-Build/370//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
Console output: https://builds.apache.org/hudson/job/PreCommit-HADOOP-Build/370//console
This message is automatically generated.
> Absolute path to kinit in auto-renewal thread
> ---------------------------------------------
>
> Key: HADOOP-7229
> URL: https://issues.apache.org/jira/browse/HADOOP-7229
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.21.0, 0.22.0, 0.23.0
> Reporter: Aaron T. Myers
> Assignee: Aaron T. Myers
> Fix For: 0.23.0
>
> Attachments: hadoop-7229.0.patch, hadoop-7229.1.patch, hadoop-7229.2.patch
>
>
> In the auto-renewal thread for Kerberos credentials in {{UserGroupInformation}}, the path to {{kinit}} is defaulted to {{/usr/kerberos/bin/kinit}}. This is the default path to {{kinit}} on RHEL/CentOS for MIT krb5, but not on Debian/Ubuntu (and perhaps others OSes.)
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-7229) Absolute path to kinit in
auto-renewal thread
Posted by "Aaron T. Myers (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7229?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Aaron T. Myers updated HADOOP-7229:
-----------------------------------
Status: Patch Available (was: Open)
> Absolute path to kinit in auto-renewal thread
> ---------------------------------------------
>
> Key: HADOOP-7229
> URL: https://issues.apache.org/jira/browse/HADOOP-7229
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.21.0, 0.22.0, 0.23.0
> Reporter: Aaron T. Myers
> Assignee: Aaron T. Myers
> Fix For: 0.23.0
>
> Attachments: hadoop-7229.0.patch
>
>
> In the auto-renewal thread for Kerberos credentials in {{UserGroupInformation}}, the path to {{kinit}} is defaulted to {{/usr/kerberos/bin/kinit}}. This is the default path to {{kinit}} on RHEL/CentOS for MIT krb5, but not on Debian/Ubuntu (and perhaps others OSes.)
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-7229) Absolute path to kinit in
auto-renewal thread
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13023194#comment-13023194 ]
Hudson commented on HADOOP-7229:
--------------------------------
Integrated in Hadoop-Common-trunk #666 (See [https://builds.apache.org/hudson/job/Hadoop-Common-trunk/666/])
HADOOP-7229. Do not default to an absolute path for kinit in Kerberos auto-renewal thread. Contributed by Aaron T. Myers.
> Absolute path to kinit in auto-renewal thread
> ---------------------------------------------
>
> Key: HADOOP-7229
> URL: https://issues.apache.org/jira/browse/HADOOP-7229
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.21.0, 0.22.0, 0.23.0
> Reporter: Aaron T. Myers
> Assignee: Aaron T. Myers
> Fix For: 0.22.0
>
> Attachments: hadoop-7229.0.patch, hadoop-7229.1.patch, hadoop-7229.2.patch
>
>
> In the auto-renewal thread for Kerberos credentials in {{UserGroupInformation}}, the path to {{kinit}} is defaulted to {{/usr/kerberos/bin/kinit}}. This is the default path to {{kinit}} on RHEL/CentOS for MIT krb5, but not on Debian/Ubuntu (and perhaps others OSes.)
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-7229) Absolute path to kinit in
auto-renewal thread
Posted by "Aaron T. Myers (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7229?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Aaron T. Myers updated HADOOP-7229:
-----------------------------------
Attachment: hadoop-7229.1.patch
Thanks for the comments, Todd and Owen. Updated patch to address comments.
> Absolute path to kinit in auto-renewal thread
> ---------------------------------------------
>
> Key: HADOOP-7229
> URL: https://issues.apache.org/jira/browse/HADOOP-7229
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.21.0, 0.22.0, 0.23.0
> Reporter: Aaron T. Myers
> Assignee: Aaron T. Myers
> Fix For: 0.23.0
>
> Attachments: hadoop-7229.0.patch, hadoop-7229.1.patch
>
>
> In the auto-renewal thread for Kerberos credentials in {{UserGroupInformation}}, the path to {{kinit}} is defaulted to {{/usr/kerberos/bin/kinit}}. This is the default path to {{kinit}} on RHEL/CentOS for MIT krb5, but not on Debian/Ubuntu (and perhaps others OSes.)
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-7229) Absolute path to kinit in
auto-renewal thread
Posted by "Aaron T. Myers (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-7229?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Aaron T. Myers updated HADOOP-7229:
-----------------------------------
Release Note: It is now required that either {{kinit}} be on the path for user accounts running the Hadoop client, or that the {{hadoop.kerberos.kinit.command}} configuration option be manually set to the absolute path to {{kinit}}. (was: It is now required that either {{kinit}} be on the path for both the {{hdfs}} and {{mapred}} user accounts, or that the {{hadoop.kerberos.kinit.command}} configuration option be manually set to the absolute path to {{kinit}}.)
Updated release note to reflect Todd's comments.
> Absolute path to kinit in auto-renewal thread
> ---------------------------------------------
>
> Key: HADOOP-7229
> URL: https://issues.apache.org/jira/browse/HADOOP-7229
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.21.0, 0.22.0, 0.23.0
> Reporter: Aaron T. Myers
> Assignee: Aaron T. Myers
> Fix For: 0.23.0
>
> Attachments: hadoop-7229.0.patch, hadoop-7229.1.patch, hadoop-7229.2.patch
>
>
> In the auto-renewal thread for Kerberos credentials in {{UserGroupInformation}}, the path to {{kinit}} is defaulted to {{/usr/kerberos/bin/kinit}}. This is the default path to {{kinit}} on RHEL/CentOS for MIT krb5, but not on Debian/Ubuntu (and perhaps others OSes.)
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira