Skip to content

HDFS-14668 Support Fuse with Users from multiple Security Realms #1739

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 27, 2020
Merged

HDFS-14668 Support Fuse with Users from multiple Security Realms #1739

merged 1 commit into from
Feb 27, 2020

Conversation

fapifta
Copy link
Contributor

@fapifta fapifta commented Dec 6, 2019

The rationale behind the change is the following:
when a username is specified to the underlying calls of the FileSystem API, that is specified to the Java kerberos layer as a principal name, and if that does not match the principal in the ticket cache, authentication fails on the Java level. This renders FUSE usable in a kerberized environment, if and only if the user's ticket cache contains a principal who's name is matching the name of the OS user used to access the FUSE mount and the realm of the principal is the default realm per the /etc/krb5.conf file. Other cases have worked before the UserGroupInformation changes in HADOOP-9747, and after the change suggested by this PR.

How it was tested:

  • In a non-kerberized environment after deploying the new compiled binary and mount hdfs via fuse:

    • a user can read/write any directory/file that is accessible by him based on his OS username
    • a user can't read/write any directory/file that is not accessible for him based on his OS username
    • username seems to be properly map to the Unix username and permission checks are performed as with the Java client if participating usernames and userids match on the mounting host and the NameNode.

  • In a kerberized environment after deploying the new compiled binary and mount hdfs via fuse:

    • a principal is correctly recognized and authorized regardless of the OS username
    • tested read/write with a principal with the OS username in the default realm
    • tested read/write with a principal with the OS username in a non-default but trusted realm
    • tested read/write with a principal with a name different from the OS username in the default realm
    • tested read/write with a principal with a name different from the OS username in a non-default but trusted realm

The tests were running manually, as it requires a multiple realm setup with cross-realm trust, which we cannot emulate in the current test environment.

@hadoop-yetus
Copy link

💔 -1 overall

Vote Subsystem Runtime Comment
+0 🆗 reexec 1m 8s Docker mode activated.
_ Prechecks _
+1 💚 dupname 0m 0s No case conflicting files found.
+1 💚 @author 0m 0s The patch does not contain any @author tags.
-1 ❌ test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
_ trunk Compile Tests _
+1 💚 mvninstall 20m 22s trunk passed
+1 💚 compile 1m 49s trunk passed
+1 💚 mvnsite 0m 19s trunk passed
+1 💚 shadedclient 36m 32s branch has no errors when building and testing our client artifacts.
_ Patch Compile Tests _
+1 💚 mvninstall 0m 14s the patch passed
+1 💚 compile 1m 39s the patch passed
-1 ❌ cc 1m 39s hadoop-hdfs-project_hadoop-hdfs-native-client generated 5 new + 14 unchanged - 5 fixed = 19 total (was 19)
+1 💚 golang 1m 39s the patch passed
+1 💚 javac 1m 39s the patch passed
+1 💚 mvnsite 0m 14s the patch passed
+1 💚 whitespace 0m 0s The patch has no whitespace issues.
+1 💚 shadedclient 14m 47s patch has no errors when building and testing our client artifacts.
_ Other Tests _
+1 💚 unit 6m 50s hadoop-hdfs-native-client in the patch passed.
+1 💚 asflicense 0m 27s The patch does not generate ASF License warnings.
64m 10s
Subsystem Report/Notes
Docker Client=19.03.5 Server=19.03.5 base: https://builds.apache.org/job/hadoop-multibranch/job/PR-1739/1/artifact/out/Dockerfile
GITHUB PR #1739
Optional Tests dupname asflicense compile cc mvnsite javac unit golang
uname Linux a0ffb326dad1 4.15.0-66-generic #75-Ubuntu SMP Tue Oct 1 05:24:09 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality personality/hadoop.sh
git revision trunk / fccccc9
Default Java 1.8.0_222
cc https://builds.apache.org/job/hadoop-multibranch/job/PR-1739/1/artifact/out/diff-compile-cc-hadoop-hdfs-project_hadoop-hdfs-native-client.txt
Test Results https://builds.apache.org/job/hadoop-multibranch/job/PR-1739/1/testReport/
Max. process+thread count 307 (vs. ulimit of 5500)
modules C: hadoop-hdfs-project/hadoop-hdfs-native-client U: hadoop-hdfs-project/hadoop-hdfs-native-client
Console output https://builds.apache.org/job/hadoop-multibranch/job/PR-1739/1/console
versions git=2.7.4 maven=3.3.9
Powered by Apache Yetus 0.11.1 https://yetus.apache.org

This message was automatically generated.

@jojochuang
Copy link
Contributor

+1 the fix is deployed and verified to work.

@jojochuang jojochuang merged commit 57aa048 into apache:trunk Feb 27, 2020
jojochuang pushed a commit that referenced this pull request Feb 27, 2020
@fapifta @jojochuang
HDFS-14668 Support Fuse with Users from multiple Security Realms (#1739)
e42ac48 
(cherry picked from commit 57aa048)
jojochuang pushed a commit that referenced this pull request Feb 27, 2020
@fapifta @jojochuang
HDFS-14668 Support Fuse with Users from multiple Security Realms (#1739)
b5022b0 
(cherry picked from commit 57aa048)
(cherry picked from commit e42ac48)
bilaharith pushed a commit to bilaharith/hadoop that referenced this pull request Mar 19, 2020
@fapifta @bilaharith
HDFS-14668 Support Fuse with Users from multiple Security Realms (apa…
6b09e66 
…che#1739)
RogPodge pushed a commit to RogPodge/hadoop that referenced this pull request Mar 25, 2020
@fapifta @RogPodge
HDFS-14668 Support Fuse with Users from multiple Security Realms (apa…
9c76b73 
…che#1739)
bentito pushed a commit to bentito/hadoop that referenced this pull request Dec 2, 2020
@fapifta @bentito
HDFS-14668 Support Fuse with Users from multiple Security Realms (apa…
ddde718 
…che#1739)

(cherry picked from commit 57aa048)
(cherry picked from commit e42ac48)
bentito pushed a commit to bentito/hadoop that referenced this pull request Dec 3, 2020
@fapifta @bentito
HDFS-14668 Support Fuse with Users from multiple Security Realms (apa…
88e03bf 
…che#1739)

(cherry picked from commit 57aa048)
(cherry picked from commit e42ac48)
jojochuang pushed a commit to jojochuang/hadoop that referenced this pull request May 23, 2023
@fapifta @jojochuang
HDFS-14668 Support Fuse with Users from multiple Security Realms (apa…
246c51b 
…che#1739)

(cherry picked from commit 57aa048)
(cherry picked from commit e42ac48)
(cherry picked from commit b5022b0)
Change-Id: Ia9a2216223f578f1059032e841c4534a205017a0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@fapifta @hadoop-yetus @jojochuang