You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ozone.apache.org by "Siyao Meng (Jira)" <ji...@apache.org> on 2020/02/21 03:36:00 UTC

[jira] [Created] (HDDS-3047) BasicOzoneFileSystem and other classes should get user's full principal name instead of login name

Siyao Meng created HDDS-3047:
--------------------------------

             Summary: BasicOzoneFileSystem and other classes should get user's full principal name instead of login name
                 Key: HDDS-3047
                 URL: https://issues.apache.org/jira/browse/HDDS-3047
             Project: Hadoop Distributed Data Store
          Issue Type: Bug
          Components: Ozone Client
            Reporter: Siyao Meng
            Assignee: Siyao Meng


BasicOzoneFileSystem, along with a dozen other classes, are using {{getShortUserName()}}:
{code:java|title=BasicOzoneFileSystem#initialize}
      try {
        this.userName =
            UserGroupInformation.getCurrentUser().getShortUserName();
      } catch (IOException e) {
        this.userName = OZONE_DEFAULT_USER;
      }
{code}
[Github|https://github.com/apache/hadoop-ozone/blob/c9f26ccf9f93a052c5c0c042c57b6f87709597ae/hadoop-ozone/ozonefs/src/main/java/org/apache/hadoop/fs/ozone/BasicOzoneFileSystem.java#L161-L166]
It should use {{getUserName()}} instead.

For quick reference:
{code:java|UserGroupInformation#getUserName}
  /**
   * Get the user's full principal name.
   * @return the user's full principal name.
   */
  @InterfaceAudience.Public
  @InterfaceStability.Evolving
  public String getUserName() {
    return user.getName();
  }
{code}

{code:java|UserGroupInformation#getShortUserName}
  /**
   * Get the user's login name.
   * @return the user's name up to the first '/' or '@'.
   */
  public String getShortUserName() {
    return user.getShortName();
  }
{code}

This typically wouldn't cause issue if Kerberos is not in use. However, once Kerberos is enabled, a bunch of problems emerge:

1. When Kerberos is enabled, {{getUserName()}} should return full principal name e.g. {{om/om@EXAMPLE.COM}}, but {{getShortUserName()}} will only return login name e.g. {{hadoop}}.

(If {{hadoop.security.auth_to_local}} is set, {{getShortUserName()}} result can become very different from full principal name. e.g. {{hadoop.security.auth_to_local = RULE:[2:$1@$0](.*)s/.*/root/}}, then {{getShortUserName()}} returns {{root}}, while {{getUserName()}} should still give {{om/om@EXAMPLE.COM}}.)

This leads to a problem (with Kerberos) where the user creates a volume with ozone shell ([uses {{getUserName()}}|https://github.com/apache/hadoop-ozone/blob/ecb5bf4df1d80723835a1500d595102f3f861708/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/volume/CreateVolumeHandler.java#L63-L65] internally) then try to list it with {{ObjectStore#listVolumesByUser(null, ...)}} ([uses {{getShortUserName()}} by default|https://github.com/apache/hadoop-ozone/blob/2fa37ef99b8fb4575169ba8326eeb677b3d2ed74/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/ObjectStore.java#L238-L256] when user param is empty or null), the user won't see any volumes because of the mismatch.

I think we should check and fix this in all classes that uses {{getShortUserName()}}.

CC [~xyao] [~aengineer] [~arp] [~bharat]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: ozone-issues-help@hadoop.apache.org