You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Arun C Murthy (JIRA)" <ji...@apache.org> on 2009/10/08 09:49:31 UTC
[jira] Created: (HADOOP-6299) Use JAAS LoginContext for our login
Use JAAS LoginContext for our login
-----------------------------------
Key: HADOOP-6299
URL: https://issues.apache.org/jira/browse/HADOOP-6299
Project: Hadoop Common
Issue Type: Improvement
Components: security
Reporter: Arun C Murthy
Currently we use a custom login module in UnixUserGroupInformation for acquiring user-credentials (via config or exec'ing 'whoami'). We should switch to using standard JAAS components such as LoginContext and possibly implement a custom UnixLoginContext for our current requirements. In future we can use this for Kerberos etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (HADOOP-6299) Use JAAS LoginContext for our login
Posted by "Hadoop QA (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6299?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12804953#action_12804953 ]
Hadoop QA commented on HADOOP-6299:
-----------------------------------
+1 overall. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12431411/h-6299.patch
against trunk revision 903015.
+1 @author. The patch does not contain any @author tags.
+1 tests included. The patch appears to include 20 new or modified tests.
+1 javadoc. The javadoc tool did not generate any warning messages.
+1 javac. The applied patch does not increase the total number of javac compiler warnings.
+1 findbugs. The patch does not introduce any new Findbugs warnings.
+1 release audit. The applied patch does not increase the total number of release audit warnings.
+1 core tests. The patch passed core unit tests.
+1 contrib tests. The patch passed contrib unit tests.
Test results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/291/testReport/
Findbugs warnings: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/291/artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
Checkstyle results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/291/artifact/trunk/build/test/checkstyle-errors.html
Console output: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/291/console
This message is automatically generated.
> Use JAAS LoginContext for our login
> -----------------------------------
>
> Key: HADOOP-6299
> URL: https://issues.apache.org/jira/browse/HADOOP-6299
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Arun C Murthy
> Assignee: Owen O'Malley
> Fix For: 0.22.0
>
> Attachments: 6299-MR-early.patch, h-6299.patch, h-6299.patch, h-6299.patch, h-6299.patch, h-6299.patch, HADOOP-6299-2.patch, UserGroupInformation.java, UserGroupInformation.java
>
>
> Currently we use a custom login module in UnixUserGroupInformation for acquiring user-credentials (via config or exec'ing 'whoami'). We should switch to using standard JAAS components such as LoginContext and possibly implement a custom UnixLoginContext for our current requirements. In future we can use this for Kerberos etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (HADOOP-6299) Use JAAS LoginContext for our login
Posted by "Hadoop QA (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6299?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12803431#action_12803431 ]
Hadoop QA commented on HADOOP-6299:
-----------------------------------
-1 overall. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12430808/h-6299.patch
against trunk revision 901540.
+1 @author. The patch does not contain any @author tags.
+1 tests included. The patch appears to include 20 new or modified tests.
-1 javadoc. The javadoc tool appears to have generated 1 warning messages.
+1 javac. The applied patch does not increase the total number of javac compiler warnings.
-1 findbugs. The patch appears to introduce 1 new Findbugs warnings.
+1 release audit. The applied patch does not increase the total number of release audit warnings.
+1 core tests. The patch passed core unit tests.
+1 contrib tests. The patch passed contrib unit tests.
Test results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/284/testReport/
Findbugs warnings: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/284/artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
Checkstyle results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/284/artifact/trunk/build/test/checkstyle-errors.html
Console output: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/284/console
This message is automatically generated.
> Use JAAS LoginContext for our login
> -----------------------------------
>
> Key: HADOOP-6299
> URL: https://issues.apache.org/jira/browse/HADOOP-6299
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Arun C Murthy
> Assignee: Owen O'Malley
> Fix For: 0.22.0
>
> Attachments: 6299-MR-early.patch, h-6299.patch, h-6299.patch, HADOOP-6299-2.patch, UserGroupInformation.java, UserGroupInformation.java
>
>
> Currently we use a custom login module in UnixUserGroupInformation for acquiring user-credentials (via config or exec'ing 'whoami'). We should switch to using standard JAAS components such as LoginContext and possibly implement a custom UnixLoginContext for our current requirements. In future we can use this for Kerberos etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (HADOOP-6299) Use JAAS LoginContext for our login
Posted by "Jakob Homan (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6299?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jakob Homan updated HADOOP-6299:
--------------------------------
Attachment: HADOOP-6299-2.patch
Owen's latest patch doesn't apply after changes from HADOOP-4656. Updated file to apply clean. Working on remaining items.
> Use JAAS LoginContext for our login
> -----------------------------------
>
> Key: HADOOP-6299
> URL: https://issues.apache.org/jira/browse/HADOOP-6299
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Arun C Murthy
> Assignee: Owen O'Malley
> Fix For: 0.22.0
>
> Attachments: h-6299.patch, HADOOP-6299-2.patch, UserGroupInformation.java, UserGroupInformation.java
>
>
> Currently we use a custom login module in UnixUserGroupInformation for acquiring user-credentials (via config or exec'ing 'whoami'). We should switch to using standard JAAS components such as LoginContext and possibly implement a custom UnixLoginContext for our current requirements. In future we can use this for Kerberos etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (HADOOP-6299) Use JAAS LoginContext for our login
Posted by "Owen O'Malley (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6299?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Owen O'Malley updated HADOOP-6299:
----------------------------------
Status: Open (was: Patch Available)
> Use JAAS LoginContext for our login
> -----------------------------------
>
> Key: HADOOP-6299
> URL: https://issues.apache.org/jira/browse/HADOOP-6299
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Arun C Murthy
> Assignee: Owen O'Malley
> Fix For: 0.22.0
>
> Attachments: 6299-MR-early.patch, h-6299.patch, h-6299.patch, h-6299.patch, h-6299.patch, h-6299.patch, HADOOP-6299-2.patch, UserGroupInformation.java, UserGroupInformation.java
>
>
> Currently we use a custom login module in UnixUserGroupInformation for acquiring user-credentials (via config or exec'ing 'whoami'). We should switch to using standard JAAS components such as LoginContext and possibly implement a custom UnixLoginContext for our current requirements. In future we can use this for Kerberos etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (HADOOP-6299) Use JAAS LoginContext for our login
Posted by "Hadoop QA (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6299?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12804628#action_12804628 ]
Hadoop QA commented on HADOOP-6299:
-----------------------------------
+1 overall. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12431322/h-6299.patch
against trunk revision 902745.
+1 @author. The patch does not contain any @author tags.
+1 tests included. The patch appears to include 20 new or modified tests.
+1 javadoc. The javadoc tool did not generate any warning messages.
+1 javac. The applied patch does not increase the total number of javac compiler warnings.
+1 findbugs. The patch does not introduce any new Findbugs warnings.
+1 release audit. The applied patch does not increase the total number of release audit warnings.
+1 core tests. The patch passed core unit tests.
+1 contrib tests. The patch passed contrib unit tests.
Test results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/289/testReport/
Findbugs warnings: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/289/artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
Checkstyle results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/289/artifact/trunk/build/test/checkstyle-errors.html
Console output: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/289/console
This message is automatically generated.
> Use JAAS LoginContext for our login
> -----------------------------------
>
> Key: HADOOP-6299
> URL: https://issues.apache.org/jira/browse/HADOOP-6299
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Arun C Murthy
> Assignee: Owen O'Malley
> Fix For: 0.22.0
>
> Attachments: 6299-MR-early.patch, h-6299.patch, h-6299.patch, h-6299.patch, h-6299.patch, HADOOP-6299-2.patch, UserGroupInformation.java, UserGroupInformation.java
>
>
> Currently we use a custom login module in UnixUserGroupInformation for acquiring user-credentials (via config or exec'ing 'whoami'). We should switch to using standard JAAS components such as LoginContext and possibly implement a custom UnixLoginContext for our current requirements. In future we can use this for Kerberos etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (HADOOP-6299) Use JAAS LoginContext for our login
Posted by "Owen O'Malley (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6299?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Owen O'Malley updated HADOOP-6299:
----------------------------------
Resolution: Fixed
Hadoop Flags: [Incompatible change, Reviewed] (was: [Incompatible change])
Status: Resolved (was: Patch Available)
I just committed this.
> Use JAAS LoginContext for our login
> -----------------------------------
>
> Key: HADOOP-6299
> URL: https://issues.apache.org/jira/browse/HADOOP-6299
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Arun C Murthy
> Assignee: Owen O'Malley
> Fix For: 0.22.0
>
> Attachments: 6299-MR-early.patch, h-6299.patch, h-6299.patch, h-6299.patch, h-6299.patch, h-6299.patch, HADOOP-6299-2.patch, UserGroupInformation.java, UserGroupInformation.java
>
>
> Currently we use a custom login module in UnixUserGroupInformation for acquiring user-credentials (via config or exec'ing 'whoami'). We should switch to using standard JAAS components such as LoginContext and possibly implement a custom UnixLoginContext for our current requirements. In future we can use this for Kerberos etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (HADOOP-6299) Use JAAS LoginContext for our login
Posted by "Owen O'Malley (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6299?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Owen O'Malley updated HADOOP-6299:
----------------------------------
Attachment: h-6299.patch
Here's a preliminary patch for common.
This patch:
# Works on Linux and Mac. It should work on Windows, except for the numeric group ids.
# The default UserGroupInformation.getUserName() is the full qualified name if Kerberos is turned on
# The Kerberos login module is optional, even if Kerberos is turned on.
# There is a doAs method on UGI to work as another user.
# We don't export the Subject from UGI any more
# Group is removed and User is now private.
# You can't set/get a UGI from a configuration.
# Service level authorization is radically changed to use the UGI instead of the Subject.
# Strengthened the SLA unit test
# Moved SLA tests from WritableRpcEngine to the framework
# Passes unit tests
It still needs:
# A method to add/get tokens from the subject.
# A method to ask whether security is turned on.
# A method to set the configuration.
# Fix for windows to use the numeric group id method.
and of course, we need to fix HDFS and MapReduce. *smile*
> Use JAAS LoginContext for our login
> -----------------------------------
>
> Key: HADOOP-6299
> URL: https://issues.apache.org/jira/browse/HADOOP-6299
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Arun C Murthy
> Assignee: Owen O'Malley
> Fix For: 0.22.0
>
> Attachments: h-6299.patch, UserGroupInformation.java, UserGroupInformation.java
>
>
> Currently we use a custom login module in UnixUserGroupInformation for acquiring user-credentials (via config or exec'ing 'whoami'). We should switch to using standard JAAS components such as LoginContext and possibly implement a custom UnixLoginContext for our current requirements. In future we can use this for Kerberos etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (HADOOP-6299) Use JAAS LoginContext for our login
Posted by "Devaraj Das (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6299?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Devaraj Das updated HADOOP-6299:
--------------------------------
Attachment: 6299-MR-early.patch
This patch fixes most of MR to do UGI stuff in the new model. This patch makes MR compile on top of common built with the last patch Jakob uploaded. I didn't attempt to run the tests yet. One reason is that I don't have the new hdfs test class MiniHDFSCluster/DFSAdmin (and maybe others), and that's used in the MR tests.
The other thing is the SecurityUtil's group mapping service is unavailable (and a test depends on that). I believe Owen/Jakob are putting that in in the next update to the patch for common.
This may be a good time to get rid of the JobContext.USER_NAME and its usage in the framework. The patch doesn't address that.
And yes, moving MR to the new UGI model was messier than i initially expected.
> Use JAAS LoginContext for our login
> -----------------------------------
>
> Key: HADOOP-6299
> URL: https://issues.apache.org/jira/browse/HADOOP-6299
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Arun C Murthy
> Assignee: Owen O'Malley
> Fix For: 0.22.0
>
> Attachments: 6299-MR-early.patch, h-6299.patch, HADOOP-6299-2.patch, UserGroupInformation.java, UserGroupInformation.java
>
>
> Currently we use a custom login module in UnixUserGroupInformation for acquiring user-credentials (via config or exec'ing 'whoami'). We should switch to using standard JAAS components such as LoginContext and possibly implement a custom UnixLoginContext for our current requirements. In future we can use this for Kerberos etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (HADOOP-6299) Use JAAS LoginContext for our login
Posted by "Arun C Murthy (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6299?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Arun C Murthy updated HADOOP-6299:
----------------------------------
Fix Version/s: 0.22.0
> Use JAAS LoginContext for our login
> -----------------------------------
>
> Key: HADOOP-6299
> URL: https://issues.apache.org/jira/browse/HADOOP-6299
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Arun C Murthy
> Fix For: 0.22.0
>
>
> Currently we use a custom login module in UnixUserGroupInformation for acquiring user-credentials (via config or exec'ing 'whoami'). We should switch to using standard JAAS components such as LoginContext and possibly implement a custom UnixLoginContext for our current requirements. In future we can use this for Kerberos etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (HADOOP-6299) Use JAAS LoginContext for our login
Posted by "Owen O'Malley (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6299?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12806114#action_12806114 ]
Owen O'Malley commented on HADOOP-6299:
---------------------------------------
Java "public" does *not* imply public API. As a concrete instance of that, all of the RPC protocol interfaces are Java public and none of them are considered public APIs. Another instance is the NameNode and DataNode classes.
I agree that prior to having the Audience annotations, it wasn't clear who the intended audience is. We are making progress in marking APIs, but it is not complete.
> Use JAAS LoginContext for our login
> -----------------------------------
>
> Key: HADOOP-6299
> URL: https://issues.apache.org/jira/browse/HADOOP-6299
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Arun C Murthy
> Assignee: Owen O'Malley
> Fix For: 0.22.0
>
> Attachments: 6299-MR-early.patch, h-6299.patch, h-6299.patch, h-6299.patch, h-6299.patch, h-6299.patch, HADOOP-6299-2.patch, UserGroupInformation.java, UserGroupInformation.java
>
>
> Currently we use a custom login module in UnixUserGroupInformation for acquiring user-credentials (via config or exec'ing 'whoami'). We should switch to using standard JAAS components such as LoginContext and possibly implement a custom UnixLoginContext for our current requirements. In future we can use this for Kerberos etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (HADOOP-6299) Use JAAS LoginContext for our login
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6299?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12828471#action_12828471 ]
Hudson commented on HADOOP-6299:
--------------------------------
Integrated in Hadoop-Mapreduce-trunk-Commit #225 (See [http://hudson.zones.apache.org/hudson/job/Hadoop-Mapreduce-trunk-Commit/225/])
> Use JAAS LoginContext for our login
> -----------------------------------
>
> Key: HADOOP-6299
> URL: https://issues.apache.org/jira/browse/HADOOP-6299
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Arun C Murthy
> Assignee: Owen O'Malley
> Fix For: 0.22.0
>
> Attachments: 6299-MR-early.patch, h-6299.patch, h-6299.patch, h-6299.patch, h-6299.patch, h-6299.patch, HADOOP-6299-2.patch, HADOOP-6299-Y20.patch, UserGroupInformation.java, UserGroupInformation.java
>
>
> Currently we use a custom login module in UnixUserGroupInformation for acquiring user-credentials (via config or exec'ing 'whoami'). We should switch to using standard JAAS components such as LoginContext and possibly implement a custom UnixLoginContext for our current requirements. In future we can use this for Kerberos etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (HADOOP-6299) Use JAAS LoginContext for our login
Posted by "Devaraj Das (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6299?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Devaraj Das updated HADOOP-6299:
--------------------------------
Status: Patch Available (was: Open)
The patch looks good to me. Some javadoc could be added in the UserGroupInformation class but other than that, I think it is ready. The patch has also been used by both HDFS and MR from the point of view of using the APIs defined in the patch.
> Use JAAS LoginContext for our login
> -----------------------------------
>
> Key: HADOOP-6299
> URL: https://issues.apache.org/jira/browse/HADOOP-6299
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Arun C Murthy
> Assignee: Owen O'Malley
> Fix For: 0.22.0
>
> Attachments: 6299-MR-early.patch, h-6299.patch, h-6299.patch, HADOOP-6299-2.patch, UserGroupInformation.java, UserGroupInformation.java
>
>
> Currently we use a custom login module in UnixUserGroupInformation for acquiring user-credentials (via config or exec'ing 'whoami'). We should switch to using standard JAAS components such as LoginContext and possibly implement a custom UnixLoginContext for our current requirements. In future we can use this for Kerberos etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (HADOOP-6299) Use JAAS LoginContext for our login
Posted by "Owen O'Malley (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6299?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Owen O'Malley updated HADOOP-6299:
----------------------------------
Status: Patch Available (was: Open)
> Use JAAS LoginContext for our login
> -----------------------------------
>
> Key: HADOOP-6299
> URL: https://issues.apache.org/jira/browse/HADOOP-6299
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Arun C Murthy
> Assignee: Owen O'Malley
> Fix For: 0.22.0
>
> Attachments: 6299-MR-early.patch, h-6299.patch, h-6299.patch, h-6299.patch, h-6299.patch, HADOOP-6299-2.patch, UserGroupInformation.java, UserGroupInformation.java
>
>
> Currently we use a custom login module in UnixUserGroupInformation for acquiring user-credentials (via config or exec'ing 'whoami'). We should switch to using standard JAAS components such as LoginContext and possibly implement a custom UnixLoginContext for our current requirements. In future we can use this for Kerberos etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (HADOOP-6299) Use JAAS LoginContext for our login
Posted by "Doug Cutting (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6299?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12805692#action_12805692 ]
Doug Cutting commented on HADOOP-6299:
--------------------------------------
I share Tom's concern. Should we re-open this issue or file a new one?
> Use JAAS LoginContext for our login
> -----------------------------------
>
> Key: HADOOP-6299
> URL: https://issues.apache.org/jira/browse/HADOOP-6299
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Arun C Murthy
> Assignee: Owen O'Malley
> Fix For: 0.22.0
>
> Attachments: 6299-MR-early.patch, h-6299.patch, h-6299.patch, h-6299.patch, h-6299.patch, h-6299.patch, HADOOP-6299-2.patch, UserGroupInformation.java, UserGroupInformation.java
>
>
> Currently we use a custom login module in UnixUserGroupInformation for acquiring user-credentials (via config or exec'ing 'whoami'). We should switch to using standard JAAS components such as LoginContext and possibly implement a custom UnixLoginContext for our current requirements. In future we can use this for Kerberos etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (HADOOP-6299) Use JAAS LoginContext for our login
Posted by "Owen O'Malley (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6299?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Owen O'Malley updated HADOOP-6299:
----------------------------------
Status: Open (was: Patch Available)
> Use JAAS LoginContext for our login
> -----------------------------------
>
> Key: HADOOP-6299
> URL: https://issues.apache.org/jira/browse/HADOOP-6299
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Arun C Murthy
> Assignee: Owen O'Malley
> Fix For: 0.22.0
>
> Attachments: 6299-MR-early.patch, h-6299.patch, h-6299.patch, h-6299.patch, h-6299.patch, HADOOP-6299-2.patch, UserGroupInformation.java, UserGroupInformation.java
>
>
> Currently we use a custom login module in UnixUserGroupInformation for acquiring user-credentials (via config or exec'ing 'whoami'). We should switch to using standard JAAS components such as LoginContext and possibly implement a custom UnixLoginContext for our current requirements. In future we can use this for Kerberos etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (HADOOP-6299) Use JAAS LoginContext for our login
Posted by "Owen O'Malley (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6299?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Owen O'Malley updated HADOOP-6299:
----------------------------------
Status: Patch Available (was: Open)
> Use JAAS LoginContext for our login
> -----------------------------------
>
> Key: HADOOP-6299
> URL: https://issues.apache.org/jira/browse/HADOOP-6299
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Arun C Murthy
> Assignee: Owen O'Malley
> Fix For: 0.22.0
>
> Attachments: 6299-MR-early.patch, h-6299.patch, h-6299.patch, h-6299.patch, h-6299.patch, h-6299.patch, HADOOP-6299-2.patch, UserGroupInformation.java, UserGroupInformation.java
>
>
> Currently we use a custom login module in UnixUserGroupInformation for acquiring user-credentials (via config or exec'ing 'whoami'). We should switch to using standard JAAS components such as LoginContext and possibly implement a custom UnixLoginContext for our current requirements. In future we can use this for Kerberos etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (HADOOP-6299) Use JAAS LoginContext for our login
Posted by "Chris Douglas (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6299?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12806180#action_12806180 ]
Chris Douglas commented on HADOOP-6299:
---------------------------------------
bq. I'd be much more comfortable with that policy if a patch had been approved by consensus that actually added the annotations to all unstable public classes. Without that, our users have no ability to see what's stable and what's not. This policy been subject to any vote, only the code that permits us to declare scopes has.
HADOOP-5073 had nearly a year of discussion before it was committed; that clause was in the first draft. Still, if you feel strongly about it, start a discussion and call a vote. In Hadoop, a whitelist of "this is public" makes a lot more sense to me than a blacklist of "this is private," but I can see why some users would disagree.
bq. UnixUserGroupInformation.java was added as a public class in December of 2007, in HADOOP-2299. At that point in time Java visibility was used to define back-compatibility constraints.
Really? The scope of our back-compatibility constraints was not defined, which I thought was the motivation of HADOOP-5073. Asserting that this undocumented policy should apply to this issue until HADOOP-5073 gets even more discussion isn't a gap easily bridged for me. Is functionality lost when UnixUserGroupInformation is removed or is it redundant in the new code? Is the issue only that a public class was removed without first deprecating it?
> Use JAAS LoginContext for our login
> -----------------------------------
>
> Key: HADOOP-6299
> URL: https://issues.apache.org/jira/browse/HADOOP-6299
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Arun C Murthy
> Assignee: Owen O'Malley
> Fix For: 0.22.0
>
> Attachments: 6299-MR-early.patch, h-6299.patch, h-6299.patch, h-6299.patch, h-6299.patch, h-6299.patch, HADOOP-6299-2.patch, UserGroupInformation.java, UserGroupInformation.java
>
>
> Currently we use a custom login module in UnixUserGroupInformation for acquiring user-credentials (via config or exec'ing 'whoami'). We should switch to using standard JAAS components such as LoginContext and possibly implement a custom UnixLoginContext for our current requirements. In future we can use this for Kerberos etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (HADOOP-6299) Use JAAS LoginContext for our login
Posted by "Owen O'Malley (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6299?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Owen O'Malley updated HADOOP-6299:
----------------------------------
Attachment: UserGroupInformation.java
This is a prototype of what I have in mind. In particular:
1. Reimplement UserGroupInformation (UGI) to be based entirely on JAAS.
2. UGI will have a single field that is the JAAS Subject that stores all of the information.
3. UGI will support both Unix and Kerberos authentication. Unix is the equivalent of what we have now. Kerberos will assume that the user has a TGT in the ticket cache.
4. Servers will be able to login in using a Kerberos keytab and principal name so that they run as the user.
5. There will be a method to create a remote user based solely on the user name.
6. It will use the Hadoop configuration to determine whether Kerberos or simple authentication is used. The JAAS configuration is done programatically instead of needing a separate configuration file in $JAVA_HOME.
7. Move User class into UserGroupInformation.
8. Remove Group class.
9. Remove UnixUserGroupInformation class.
> Use JAAS LoginContext for our login
> -----------------------------------
>
> Key: HADOOP-6299
> URL: https://issues.apache.org/jira/browse/HADOOP-6299
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Arun C Murthy
> Fix For: 0.22.0
>
> Attachments: UserGroupInformation.java
>
>
> Currently we use a custom login module in UnixUserGroupInformation for acquiring user-credentials (via config or exec'ing 'whoami'). We should switch to using standard JAAS components such as LoginContext and possibly implement a custom UnixLoginContext for our current requirements. In future we can use this for Kerberos etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (HADOOP-6299) Use JAAS LoginContext for our login
Posted by "Hadoop QA (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6299?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12803828#action_12803828 ]
Hadoop QA commented on HADOOP-6299:
-----------------------------------
-1 overall. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12431123/h-6299.patch
against trunk revision 901924.
+1 @author. The patch does not contain any @author tags.
+1 tests included. The patch appears to include 20 new or modified tests.
+1 javadoc. The javadoc tool did not generate any warning messages.
+1 javac. The applied patch does not increase the total number of javac compiler warnings.
-1 findbugs. The patch appears to introduce 1 new Findbugs warnings.
+1 release audit. The applied patch does not increase the total number of release audit warnings.
+1 core tests. The patch passed core unit tests.
+1 contrib tests. The patch passed contrib unit tests.
Test results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/285/testReport/
Findbugs warnings: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/285/artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
Checkstyle results: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/285/artifact/trunk/build/test/checkstyle-errors.html
Console output: http://hudson.zones.apache.org/hudson/job/Hadoop-Patch-h4.grid.sp2.yahoo.net/285/console
This message is automatically generated.
> Use JAAS LoginContext for our login
> -----------------------------------
>
> Key: HADOOP-6299
> URL: https://issues.apache.org/jira/browse/HADOOP-6299
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Arun C Murthy
> Assignee: Owen O'Malley
> Fix For: 0.22.0
>
> Attachments: 6299-MR-early.patch, h-6299.patch, h-6299.patch, h-6299.patch, HADOOP-6299-2.patch, UserGroupInformation.java, UserGroupInformation.java
>
>
> Currently we use a custom login module in UnixUserGroupInformation for acquiring user-credentials (via config or exec'ing 'whoami'). We should switch to using standard JAAS components such as LoginContext and possibly implement a custom UnixLoginContext for our current requirements. In future we can use this for Kerberos etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (HADOOP-6299) Use JAAS LoginContext for our login
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6299?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12806698#action_12806698 ]
Hudson commented on HADOOP-6299:
--------------------------------
Integrated in Hadoop-Mapreduce-trunk #221 (See [http://hudson.zones.apache.org/hudson/job/Hadoop-Mapreduce-trunk/221/])
> Use JAAS LoginContext for our login
> -----------------------------------
>
> Key: HADOOP-6299
> URL: https://issues.apache.org/jira/browse/HADOOP-6299
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Arun C Murthy
> Assignee: Owen O'Malley
> Fix For: 0.22.0
>
> Attachments: 6299-MR-early.patch, h-6299.patch, h-6299.patch, h-6299.patch, h-6299.patch, h-6299.patch, HADOOP-6299-2.patch, UserGroupInformation.java, UserGroupInformation.java
>
>
> Currently we use a custom login module in UnixUserGroupInformation for acquiring user-credentials (via config or exec'ing 'whoami'). We should switch to using standard JAAS components such as LoginContext and possibly implement a custom UnixLoginContext for our current requirements. In future we can use this for Kerberos etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (HADOOP-6299) Use JAAS LoginContext for our login
Posted by "Doug Cutting (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6299?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12806060#action_12806060 ]
Doug Cutting commented on HADOOP-6299:
--------------------------------------
> They were never intended to be public interfaces. They were intended to be limited to HDFS and MapReduce.
Hmm. UnixUserGroupInformation.java was added as a public class in December of 2007, in HADOOP-2299. At that point in time Java visibility was used to define back-compatibility constraints.
HADOOP-5073 proposed changing back-compatibility constraints, but its proposed constraints were never subjected to a vote. Sanjay states that any API not listed in his final comment there (added after the commit) are unstable. I'd be much more comfortable with that policy if a patch had been approved by consensus that actually added the annotations to all unstable public classes. Without that, our users have no ability to see what's stable and what's not. This policy been subject to any vote, only the code that permits us to declare scopes has.
> Use JAAS LoginContext for our login
> -----------------------------------
>
> Key: HADOOP-6299
> URL: https://issues.apache.org/jira/browse/HADOOP-6299
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Arun C Murthy
> Assignee: Owen O'Malley
> Fix For: 0.22.0
>
> Attachments: 6299-MR-early.patch, h-6299.patch, h-6299.patch, h-6299.patch, h-6299.patch, h-6299.patch, HADOOP-6299-2.patch, UserGroupInformation.java, UserGroupInformation.java
>
>
> Currently we use a custom login module in UnixUserGroupInformation for acquiring user-credentials (via config or exec'ing 'whoami'). We should switch to using standard JAAS components such as LoginContext and possibly implement a custom UnixLoginContext for our current requirements. In future we can use this for Kerberos etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (HADOOP-6299) Use JAAS LoginContext for our login
Posted by "Owen O'Malley (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6299?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Owen O'Malley updated HADOOP-6299:
----------------------------------
Attachment: h-6299.patch
This patch fixes the findbugs warning about circular static dependencies. I pulled the static block that sets the HadoopConfiguration as the JAAS configuration into initialize.
> Use JAAS LoginContext for our login
> -----------------------------------
>
> Key: HADOOP-6299
> URL: https://issues.apache.org/jira/browse/HADOOP-6299
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Arun C Murthy
> Assignee: Owen O'Malley
> Fix For: 0.22.0
>
> Attachments: 6299-MR-early.patch, h-6299.patch, h-6299.patch, h-6299.patch, h-6299.patch, HADOOP-6299-2.patch, UserGroupInformation.java, UserGroupInformation.java
>
>
> Currently we use a custom login module in UnixUserGroupInformation for acquiring user-credentials (via config or exec'ing 'whoami'). We should switch to using standard JAAS components such as LoginContext and possibly implement a custom UnixLoginContext for our current requirements. In future we can use this for Kerberos etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (HADOOP-6299) Use JAAS LoginContext for our login
Posted by "Owen O'Malley (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6299?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Owen O'Malley updated HADOOP-6299:
----------------------------------
Attachment: h-6299.patch
This adjusts the setConfiguration to not replace the TestingGroups object if we have been
using the fake group service for testing.
> Use JAAS LoginContext for our login
> -----------------------------------
>
> Key: HADOOP-6299
> URL: https://issues.apache.org/jira/browse/HADOOP-6299
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Arun C Murthy
> Assignee: Owen O'Malley
> Fix For: 0.22.0
>
> Attachments: 6299-MR-early.patch, h-6299.patch, h-6299.patch, h-6299.patch, h-6299.patch, h-6299.patch, HADOOP-6299-2.patch, UserGroupInformation.java, UserGroupInformation.java
>
>
> Currently we use a custom login module in UnixUserGroupInformation for acquiring user-credentials (via config or exec'ing 'whoami'). We should switch to using standard JAAS components such as LoginContext and possibly implement a custom UnixLoginContext for our current requirements. In future we can use this for Kerberos etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (HADOOP-6299) Use JAAS LoginContext for our login
Posted by "Devaraj Das (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6299?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12805343#action_12805343 ]
Devaraj Das commented on HADOOP-6299:
-------------------------------------
+1 on the patch.
> Use JAAS LoginContext for our login
> -----------------------------------
>
> Key: HADOOP-6299
> URL: https://issues.apache.org/jira/browse/HADOOP-6299
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Arun C Murthy
> Assignee: Owen O'Malley
> Fix For: 0.22.0
>
> Attachments: 6299-MR-early.patch, h-6299.patch, h-6299.patch, h-6299.patch, h-6299.patch, h-6299.patch, HADOOP-6299-2.patch, UserGroupInformation.java, UserGroupInformation.java
>
>
> Currently we use a custom login module in UnixUserGroupInformation for acquiring user-credentials (via config or exec'ing 'whoami'). We should switch to using standard JAAS components such as LoginContext and possibly implement a custom UnixLoginContext for our current requirements. In future we can use this for Kerberos etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (HADOOP-6299) Use JAAS LoginContext for our login
Posted by "Tom White (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6299?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12805591#action_12805591 ]
Tom White commented on HADOOP-6299:
-----------------------------------
Sorry to come to this so late, but I notice that this change removes some public classes (e.g. User, UnixUserGroupInformation) - should we not deprecate them first before removing them?
> Use JAAS LoginContext for our login
> -----------------------------------
>
> Key: HADOOP-6299
> URL: https://issues.apache.org/jira/browse/HADOOP-6299
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Arun C Murthy
> Assignee: Owen O'Malley
> Fix For: 0.22.0
>
> Attachments: 6299-MR-early.patch, h-6299.patch, h-6299.patch, h-6299.patch, h-6299.patch, h-6299.patch, HADOOP-6299-2.patch, UserGroupInformation.java, UserGroupInformation.java
>
>
> Currently we use a custom login module in UnixUserGroupInformation for acquiring user-credentials (via config or exec'ing 'whoami'). We should switch to using standard JAAS components such as LoginContext and possibly implement a custom UnixLoginContext for our current requirements. In future we can use this for Kerberos etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (HADOOP-6299) Use JAAS LoginContext for our login
Posted by "Owen O'Malley (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6299?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Owen O'Malley updated HADOOP-6299:
----------------------------------
Attachment: h-6299.patch
This patch fixes:
1. UGI.toString now just returns the user name.
2. Fixes the javadoc warnings
3. Adds more javadoc into UGI
> Use JAAS LoginContext for our login
> -----------------------------------
>
> Key: HADOOP-6299
> URL: https://issues.apache.org/jira/browse/HADOOP-6299
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Arun C Murthy
> Assignee: Owen O'Malley
> Fix For: 0.22.0
>
> Attachments: 6299-MR-early.patch, h-6299.patch, h-6299.patch, h-6299.patch, HADOOP-6299-2.patch, UserGroupInformation.java, UserGroupInformation.java
>
>
> Currently we use a custom login module in UnixUserGroupInformation for acquiring user-credentials (via config or exec'ing 'whoami'). We should switch to using standard JAAS components such as LoginContext and possibly implement a custom UnixLoginContext for our current requirements. In future we can use this for Kerberos etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (HADOOP-6299) Use JAAS LoginContext for our login
Posted by "Owen O'Malley (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6299?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Owen O'Malley updated HADOOP-6299:
----------------------------------
Status: Open (was: Patch Available)
> Use JAAS LoginContext for our login
> -----------------------------------
>
> Key: HADOOP-6299
> URL: https://issues.apache.org/jira/browse/HADOOP-6299
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Arun C Murthy
> Assignee: Owen O'Malley
> Fix For: 0.22.0
>
> Attachments: 6299-MR-early.patch, h-6299.patch, h-6299.patch, h-6299.patch, HADOOP-6299-2.patch, UserGroupInformation.java, UserGroupInformation.java
>
>
> Currently we use a custom login module in UnixUserGroupInformation for acquiring user-credentials (via config or exec'ing 'whoami'). We should switch to using standard JAAS components such as LoginContext and possibly implement a custom UnixLoginContext for our current requirements. In future we can use this for Kerberos etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (HADOOP-6299) Use JAAS LoginContext for our login
Posted by "Owen O'Malley (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6299?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12805716#action_12805716 ]
Owen O'Malley commented on HADOOP-6299:
---------------------------------------
They were never intended to be public interfaces. They were intended to be limited to HDFS and MapReduce.
User still exists, it was just made non-public, which is hard to mark with deprecation. If the community thinks it is important to keep a deprecated UnixUGI, please open a new jira.
> Use JAAS LoginContext for our login
> -----------------------------------
>
> Key: HADOOP-6299
> URL: https://issues.apache.org/jira/browse/HADOOP-6299
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Arun C Murthy
> Assignee: Owen O'Malley
> Fix For: 0.22.0
>
> Attachments: 6299-MR-early.patch, h-6299.patch, h-6299.patch, h-6299.patch, h-6299.patch, h-6299.patch, HADOOP-6299-2.patch, UserGroupInformation.java, UserGroupInformation.java
>
>
> Currently we use a custom login module in UnixUserGroupInformation for acquiring user-credentials (via config or exec'ing 'whoami'). We should switch to using standard JAAS components such as LoginContext and possibly implement a custom UnixLoginContext for our current requirements. In future we can use this for Kerberos etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (HADOOP-6299) Use JAAS LoginContext for our login
Posted by "Owen O'Malley (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6299?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Owen O'Malley updated HADOOP-6299:
----------------------------------
Status: Patch Available (was: Open)
> Use JAAS LoginContext for our login
> -----------------------------------
>
> Key: HADOOP-6299
> URL: https://issues.apache.org/jira/browse/HADOOP-6299
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Arun C Murthy
> Assignee: Owen O'Malley
> Fix For: 0.22.0
>
> Attachments: 6299-MR-early.patch, h-6299.patch, h-6299.patch, h-6299.patch, HADOOP-6299-2.patch, UserGroupInformation.java, UserGroupInformation.java
>
>
> Currently we use a custom login module in UnixUserGroupInformation for acquiring user-credentials (via config or exec'ing 'whoami'). We should switch to using standard JAAS components such as LoginContext and possibly implement a custom UnixLoginContext for our current requirements. In future we can use this for Kerberos etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (HADOOP-6299) Use JAAS LoginContext for our login
Posted by "Owen O'Malley (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6299?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Owen O'Malley reassigned HADOOP-6299:
-------------------------------------
Assignee: Owen O'Malley
> Use JAAS LoginContext for our login
> -----------------------------------
>
> Key: HADOOP-6299
> URL: https://issues.apache.org/jira/browse/HADOOP-6299
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Arun C Murthy
> Assignee: Owen O'Malley
> Fix For: 0.22.0
>
> Attachments: UserGroupInformation.java
>
>
> Currently we use a custom login module in UnixUserGroupInformation for acquiring user-credentials (via config or exec'ing 'whoami'). We should switch to using standard JAAS components such as LoginContext and possibly implement a custom UnixLoginContext for our current requirements. In future we can use this for Kerberos etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (HADOOP-6299) Use JAAS LoginContext for our login
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6299?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12805483#action_12805483 ]
Hudson commented on HADOOP-6299:
--------------------------------
Integrated in Hadoop-Common-trunk #234 (See [http://hudson.zones.apache.org/hudson/job/Hadoop-Common-trunk/234/])
. Reimplement the UserGroupInformation to use the OS
specific and Kerberos JAAS login. (omalley)
> Use JAAS LoginContext for our login
> -----------------------------------
>
> Key: HADOOP-6299
> URL: https://issues.apache.org/jira/browse/HADOOP-6299
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Arun C Murthy
> Assignee: Owen O'Malley
> Fix For: 0.22.0
>
> Attachments: 6299-MR-early.patch, h-6299.patch, h-6299.patch, h-6299.patch, h-6299.patch, h-6299.patch, HADOOP-6299-2.patch, UserGroupInformation.java, UserGroupInformation.java
>
>
> Currently we use a custom login module in UnixUserGroupInformation for acquiring user-credentials (via config or exec'ing 'whoami'). We should switch to using standard JAAS components such as LoginContext and possibly implement a custom UnixLoginContext for our current requirements. In future we can use this for Kerberos etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (HADOOP-6299) Use JAAS LoginContext for our login
Posted by "Owen O'Malley (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6299?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Owen O'Malley updated HADOOP-6299:
----------------------------------
Attachment: h-6299.patch
This patch updates Common to the new UGI.
Details:
1. Removes the UnixUserGroupInformation class.
2. The UserGroupInformation becomes a thin shell over the Subject.
3. The Subject is no longer exposed to clients.
4. It adds a doAs method for working as another user.
5. Simplifies the Service Level Authorization to check directly rather than going through permissions.
6. UGI loads Kerberos tickets into the subject.
7. methods to load user credentials from keytab files.
> Use JAAS LoginContext for our login
> -----------------------------------
>
> Key: HADOOP-6299
> URL: https://issues.apache.org/jira/browse/HADOOP-6299
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Arun C Murthy
> Assignee: Owen O'Malley
> Fix For: 0.22.0
>
> Attachments: 6299-MR-early.patch, h-6299.patch, h-6299.patch, HADOOP-6299-2.patch, UserGroupInformation.java, UserGroupInformation.java
>
>
> Currently we use a custom login module in UnixUserGroupInformation for acquiring user-credentials (via config or exec'ing 'whoami'). We should switch to using standard JAAS components such as LoginContext and possibly implement a custom UnixLoginContext for our current requirements. In future we can use this for Kerberos etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (HADOOP-6299) Use JAAS LoginContext for our login
Posted by "Jakob Homan (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6299?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jakob Homan updated HADOOP-6299:
--------------------------------
Attachment: HADOOP-6299-Y20.patch
Patch for Yahoo!'s distribution. Tests and test-patch are fine (except known issue HADOOP-6530).
> Use JAAS LoginContext for our login
> -----------------------------------
>
> Key: HADOOP-6299
> URL: https://issues.apache.org/jira/browse/HADOOP-6299
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Arun C Murthy
> Assignee: Owen O'Malley
> Fix For: 0.22.0
>
> Attachments: 6299-MR-early.patch, h-6299.patch, h-6299.patch, h-6299.patch, h-6299.patch, h-6299.patch, HADOOP-6299-2.patch, HADOOP-6299-Y20.patch, UserGroupInformation.java, UserGroupInformation.java
>
>
> Currently we use a custom login module in UnixUserGroupInformation for acquiring user-credentials (via config or exec'ing 'whoami'). We should switch to using standard JAAS components such as LoginContext and possibly implement a custom UnixLoginContext for our current requirements. In future we can use this for Kerberos etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (HADOOP-6299) Use JAAS LoginContext for our login
Posted by "Kan Zhang (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6299?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12791097#action_12791097 ]
Kan Zhang commented on HADOOP-6299:
-----------------------------------
There needs to be methods for saving and retrieving tokens of various kinds.
> Use JAAS LoginContext for our login
> -----------------------------------
>
> Key: HADOOP-6299
> URL: https://issues.apache.org/jira/browse/HADOOP-6299
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Arun C Murthy
> Assignee: Owen O'Malley
> Fix For: 0.22.0
>
> Attachments: UserGroupInformation.java, UserGroupInformation.java
>
>
> Currently we use a custom login module in UnixUserGroupInformation for acquiring user-credentials (via config or exec'ing 'whoami'). We should switch to using standard JAAS components such as LoginContext and possibly implement a custom UnixLoginContext for our current requirements. In future we can use this for Kerberos etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (HADOOP-6299) Use JAAS LoginContext for our login
Posted by "Chris Douglas (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6299?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Chris Douglas updated HADOOP-6299:
----------------------------------
Hadoop Flags: [Incompatible change]
> Use JAAS LoginContext for our login
> -----------------------------------
>
> Key: HADOOP-6299
> URL: https://issues.apache.org/jira/browse/HADOOP-6299
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Arun C Murthy
> Assignee: Owen O'Malley
> Fix For: 0.22.0
>
> Attachments: 6299-MR-early.patch, h-6299.patch, h-6299.patch, HADOOP-6299-2.patch, UserGroupInformation.java, UserGroupInformation.java
>
>
> Currently we use a custom login module in UnixUserGroupInformation for acquiring user-credentials (via config or exec'ing 'whoami'). We should switch to using standard JAAS components such as LoginContext and possibly implement a custom UnixLoginContext for our current requirements. In future we can use this for Kerberos etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (HADOOP-6299) Use JAAS LoginContext for our login
Posted by "Jakob Homan (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6299?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jakob Homan updated HADOOP-6299:
--------------------------------
Attachment: UserGroupInformation.java
Attaching updated example that works with Windows/cygwin authorization. It turns out that Java only includes the login module for the current operating system, so we need to explictily specify either the UnixLoginModule or the NTLoginModule. After this change, the code works for either operating system.
Also changed the the kerberos login module authentication to optional. It may be that the user doesn't have Kerberos running, but should still be able to be authenticated.
> Use JAAS LoginContext for our login
> -----------------------------------
>
> Key: HADOOP-6299
> URL: https://issues.apache.org/jira/browse/HADOOP-6299
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Arun C Murthy
> Assignee: Owen O'Malley
> Fix For: 0.22.0
>
> Attachments: UserGroupInformation.java, UserGroupInformation.java
>
>
> Currently we use a custom login module in UnixUserGroupInformation for acquiring user-credentials (via config or exec'ing 'whoami'). We should switch to using standard JAAS components such as LoginContext and possibly implement a custom UnixLoginContext for our current requirements. In future we can use this for Kerberos etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (HADOOP-6299) Use JAAS LoginContext for our login
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-6299?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12805416#action_12805416 ]
Hudson commented on HADOOP-6299:
--------------------------------
Integrated in Hadoop-Common-trunk-Commit #150 (See [http://hudson.zones.apache.org/hudson/job/Hadoop-Common-trunk-Commit/150/])
. Reimplement the UserGroupInformation to use the OS
specific and Kerberos JAAS login. (omalley)
> Use JAAS LoginContext for our login
> -----------------------------------
>
> Key: HADOOP-6299
> URL: https://issues.apache.org/jira/browse/HADOOP-6299
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Arun C Murthy
> Assignee: Owen O'Malley
> Fix For: 0.22.0
>
> Attachments: 6299-MR-early.patch, h-6299.patch, h-6299.patch, h-6299.patch, h-6299.patch, h-6299.patch, HADOOP-6299-2.patch, UserGroupInformation.java, UserGroupInformation.java
>
>
> Currently we use a custom login module in UnixUserGroupInformation for acquiring user-credentials (via config or exec'ing 'whoami'). We should switch to using standard JAAS components such as LoginContext and possibly implement a custom UnixLoginContext for our current requirements. In future we can use this for Kerberos etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.