HDFS-14668 Support Fuse with Users from multiple Security Realms (#1739)

(cherry picked from commit 57aa048516)
This commit is contained in:
Istvan Fajth 2020-02-27 16:48:15 +01:00 committed by Wei-Chiu Chuang
parent 27cfda708e
commit e42ac486e7
1 changed files with 11 additions and 1 deletions

View File

@ -476,7 +476,6 @@ static int fuseNewConnect(const char *usrname, struct fuse_context *ctx,
if (gPort) { if (gPort) {
hdfsBuilderSetNameNodePort(bld, gPort); hdfsBuilderSetNameNodePort(bld, gPort);
} }
hdfsBuilderSetUserName(bld, usrname);
if (gHdfsAuthConf == AUTH_CONF_KERBEROS) { if (gHdfsAuthConf == AUTH_CONF_KERBEROS) {
findKerbTicketCachePath(ctx, kpath, sizeof(kpath)); findKerbTicketCachePath(ctx, kpath, sizeof(kpath));
if (stat(kpath, &st) < 0) { if (stat(kpath, &st) < 0) {
@ -495,6 +494,17 @@ static int fuseNewConnect(const char *usrname, struct fuse_context *ctx,
ret = -ENOMEM; ret = -ENOMEM;
goto error; goto error;
} }
} else {
// earlier the username was set to the builder always, but due to
// HADOOP-9747 if we specify the username in case of kerberos authentication
// the username will be used as the principal name, and that will conflict
// with ticket cache based authentication as we have the OS user name here
// not the real kerberos principal name. So with SIMPLE auth we pass on the
// OS username still, and the UGI will use that as the username, but with
// kerberos authentication we do not pass in the OS username and let the
// authentication happen with the principal who's ticket is in the ticket
// cache. (HDFS-15034 is still a possible improvement for SIMPLE AUTH.)
hdfsBuilderSetUserName(bld, usrname);
} }
conn->usrname = strdup(usrname); conn->usrname = strdup(usrname);
if (!conn->usrname) { if (!conn->usrname) {