You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Owen O'Malley (JIRA)" <ji...@apache.org> on 2009/11/11 21:56:39 UTC

[jira] Updated: (HADOOP-6299) Use JAAS LoginContext for our login

     [ https://issues.apache.org/jira/browse/HADOOP-6299?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Owen O'Malley updated HADOOP-6299:
----------------------------------

    Attachment: UserGroupInformation.java

This is a prototype of what I have in mind. In particular:

1. Reimplement UserGroupInformation (UGI) to be based entirely on JAAS.
2. UGI will have a single field that is the JAAS Subject that stores all of the information.
3. UGI will support both Unix and Kerberos authentication. Unix is the equivalent of what we have now. Kerberos will assume that the user has a TGT in the ticket cache.
4. Servers will be able to login in using a Kerberos keytab and principal name so that they run as the user.
5. There will be a method to create a remote user based solely on the user name.
6. It will use the Hadoop configuration to determine whether Kerberos or simple authentication is used. The JAAS configuration is done programatically instead of needing a separate configuration file in $JAVA_HOME.
7. Move User class into UserGroupInformation.
8. Remove Group class.
9. Remove UnixUserGroupInformation class.

> Use JAAS LoginContext for our login
> -----------------------------------
>
>                 Key: HADOOP-6299
>                 URL: https://issues.apache.org/jira/browse/HADOOP-6299
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>            Reporter: Arun C Murthy
>             Fix For: 0.22.0
>
>         Attachments: UserGroupInformation.java
>
>
> Currently we use a custom login module in UnixUserGroupInformation for acquiring user-credentials (via config or exec'ing 'whoami'). We should switch to using standard JAAS components such as LoginContext and possibly implement a custom UnixLoginContext for our current requirements. In future we can use this for Kerberos etc. 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.