You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Daryn Sharp (Jira)" <ji...@apache.org> on 2019/08/20 15:01:00 UTC

[jira] [Resolved] (HADOOP-16521) Subject has a contradiction between proxy user and real user

     [ https://issues.apache.org/jira/browse/HADOOP-16521?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Daryn Sharp resolved HADOOP-16521.
----------------------------------
    Resolution: Invalid

> Subject has a contradiction between proxy user and real user
> ------------------------------------------------------------
>
>                 Key: HADOOP-16521
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16521
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: Yicong Cai
>            Priority: Major
>
> In the method UserGroupInformation#loginUserFromSubject, if you specify ProxyUser with HADOOP_PROXY_USER, and create a Proxy UGI instance, the valid Credentials are included in the User's PrivateCredentials. The UGI information is as follows:
>  
> {code:java}
>  proxyUGI
>  |
>  |--subject 1
>  | |
>  | |--principals
>  | | |
>  | | |--user
>  | | |
>  | |  --real user
>  | |
>  |  --privCredentials(all cred)
>  |
>   --proxy user
> {code}
>  
> If you first login Real User and then use UserGroupInformation#createProxyUser to create a Proxy UGI, the valid Credentials information is included in RealUser's subject PrivateCredentials. The UGI information is as follows:
>  
> {code:java}
> proxyUGI
>  |
>  |--subject 1
>  | |
>  | |--principals
>  | | |
>  | | |--user
>  | | |
>  | |  --real user
>  | |    |
>  | |     --subject 2
>  | |       |
>  | |        --privCredentials(all cred)
>  | |
>  |  --privCredentials(empty)
>  |
>   --proxy user{code}
>  
> Use the proxy user in the HDFS FileSystem to perform token-related operations.
> However, in the RPC Client Connection, use the token in RealUser for SaslRpcClient#saslConnect.
> So the main contradiction is, should ProxyUser's real Credentials information be placed in ProxyUGI's subject, or should it be placed in RealUser's subject?



--
This message was sent by Atlassian Jira
(v8.3.2#803003)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org