You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Arun Suresh (JIRA)" <ji...@apache.org> on 2014/10/08 18:42:34 UTC

[jira] [Commented] (HADOOP-11176) KMSClientProvider authentication fails when when both currentUgi and loginUgi is a proxied user

    [ https://issues.apache.org/jira/browse/HADOOP-11176?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14163738#comment-14163738 ] 

Arun Suresh commented on HADOOP-11176:
--------------------------------------

Please do note.. as demonstrated in the testcases, it can fail in the case of SIMPLE auth as well since both the "user.name" and "doAs" parameters sent by KMSClientProvider to the KMS server would always be the same... this patch fixes that..

> KMSClientProvider authentication fails when when both currentUgi and loginUgi is a proxied user
> -----------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-11176
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11176
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: Arun Suresh
>         Attachments: HADOOP-11176.1.patch
>
>
> In a secure environment, with kerberos, when the KMSClientProvider instance is created in the context of a proxied user, The initial SPNEGO handshake is made with the currentUser (the proxied user) as the Principal.. this will fail, since the proxied user is not logged in.
> The handshake must be done using the real user.
>  



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)