You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2020/08/27 18:06:00 UTC

[jira] [Work logged] (HADOOP-17159) Make UGI support forceful relogin from keytab ignoring the last login time

     [ https://issues.apache.org/jira/browse/HADOOP-17159?focusedWorklogId=475460&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-475460 ]

ASF GitHub Bot logged work on HADOOP-17159:
-------------------------------------------

                Author: ASF GitHub Bot
            Created on: 27/Aug/20 18:05
            Start Date: 27/Aug/20 18:05
    Worklog Time Spent: 10m 
      Work Description: liuml07 commented on a change in pull request #2245:
URL: https://github.com/apache/hadoop/pull/2245#discussion_r478602120



##########
File path: hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
##########
@@ -1215,23 +1215,43 @@ private void fixKerberosTicketOrder() {
    * Re-Login a user in from a keytab file. Loads a user identity from a keytab
    * file and logs them in. They become the currently logged-in user. This
    * method assumes that {@link #loginUserFromKeytab(String, String)} had
-   * happened already.
-   * The Subject field of this UserGroupInformation object is updated to have
-   * the new credentials.
+   * happened already. The Subject field of this UserGroupInformation object is
+   * updated to have the new credentials.
+   *
    * @throws IOException
    * @throws KerberosAuthException on a failure
    */
   @InterfaceAudience.Public
   @InterfaceStability.Evolving
   public synchronized void reloginFromKeytab() throws IOException {
+    reloginFromKeytab(false);
+  }
+
+  /**
+   * Force re-Login a user in from a keytab file. Loads a user identity from a
+   * keytab file and logs them in. They become the currently logged-in user.
+   * This method assumes that {@link #loginUserFromKeytab(String, String)} had
+   * happened already. The Subject field of this UserGroupInformation object is
+   * updated to have the new credentials.
+   *
+   * @param ignoreTimeElapsed Force re-login irrespective of the time of last
+   *                          login
+   * @throws IOException
+   * @throws KerberosAuthException on a failure
+   */
+  @InterfaceAudience.Public
+  @InterfaceStability.Evolving
+  public synchronized void reloginFromKeytab(boolean ignoreTimeElapsed)

Review comment:
       I'm thinking of the same problem of the same method signature when potential Hadoop 2 code calling `reloginFromKeytab(false)` upgrades to Hadoop 3. Because of the same method name and a bool parameter, users most likely will not notice the parameter value is for different meanings: in Hadoop 2 here, the bool parameter is for `ignoreTimeElapsed` where in Hadoop 3 it is actually for `checkTGT`.
   
   So is it better to:
   1. Make this new API `public synchronized void reloginFromKeytab(boolean ignoreTimeElapsed)` private
   2. AND we also add the new API as in Hadoop 3: `public void forceReloginFromKeytab()`.
   
   That way, the application code which forces login will have the same code between Hadoop 2 and 3. And the other new API `reloginFromKeytab(boolean)` is private in UGI both in Hadoop 2 and 3.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


Issue Time Tracking
-------------------

            Worklog Id:     (was: 475460)
    Remaining Estimate: 0h
            Time Spent: 10m

> Make UGI support forceful relogin from keytab ignoring the last login time
> --------------------------------------------------------------------------
>
>                 Key: HADOOP-17159
>                 URL: https://issues.apache.org/jira/browse/HADOOP-17159
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 2.10.0, 3.3.0, 3.2.1, 3.1.3
>            Reporter: Sandeep Guggilam
>            Assignee: Sandeep Guggilam
>            Priority: Major
>             Fix For: 3.2.2, 3.3.1, 3.4.0, 3.1.5
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Currently we have a relogin() method in UGI which attempts to login if there is no login attempted in the last 10 minutes or configured amount of time
> We should also have provision for doing a forceful relogin irrespective of the time window that the client can choose to use it if needed . Consider the below scenario:
>  # SASL Server is reimaged and new keytabs are fetched with refreshing the password
>  # SASL client connection to the server would fail when it tries with the cached service ticket
>  # We should try to logout to clear the service tickets in cache and then try to login back in such scenarios. But since the current relogin() doesn't guarantee a login, it could cause an issue
>  # A forceful relogin in this case would help after logout
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org