HDFS-14668 Support Fuse with Users from multiple Security Realms (#1739)

(cherry picked from commit 57aa048516)
(cherry picked from commit e42ac486e7)
This commit is contained in:
Istvan Fajth 2020-02-27 16:48:15 +01:00 committed by Wei-Chiu Chuang
parent b92477c638
commit b5022b0515
1 changed files with 11 additions and 1 deletions

View File

@ -472,7 +472,6 @@ static int fuseNewConnect(const char *usrname, struct fuse_context *ctx,
if (gPort) {
hdfsBuilderSetNameNodePort(bld, gPort);
}
hdfsBuilderSetUserName(bld, usrname);
if (gHdfsAuthConf == AUTH_CONF_KERBEROS) {
findKerbTicketCachePath(ctx, kpath, sizeof(kpath));
if (stat(kpath, &st) < 0) {
@ -491,6 +490,17 @@ static int fuseNewConnect(const char *usrname, struct fuse_context *ctx,
ret = -ENOMEM;
goto error;
}
} else {
// earlier the username was set to the builder always, but due to
// HADOOP-9747 if we specify the username in case of kerberos authentication
// the username will be used as the principal name, and that will conflict
// with ticket cache based authentication as we have the OS user name here
// not the real kerberos principal name. So with SIMPLE auth we pass on the
// OS username still, and the UGI will use that as the username, but with
// kerberos authentication we do not pass in the OS username and let the
// authentication happen with the principal who's ticket is in the ticket
// cache. (HDFS-15034 is still a possible improvement for SIMPLE AUTH.)
hdfsBuilderSetUserName(bld, usrname);
}
conn->usrname = strdup(usrname);
if (!conn->usrname) {