HADOOP-14029. Fix KMSClientProvider for non-secure proxyuser use case. Contributed by Xiaoyu Yao.

This commit is contained in:
Xiaoyu Yao 2017-01-26 20:34:32 -08:00
parent 7bc333ad41
commit 2034315763
2 changed files with 11 additions and 6 deletions

View File

@ -1096,13 +1096,14 @@ private UserGroupInformation getActualUgi() throws IOException {
// Use real user for proxy user
actualUgi = currentUgi.getRealUser();
}
if (!containsKmsDt(actualUgi) &&
if (UserGroupInformation.isSecurityEnabled() &&
!containsKmsDt(actualUgi) &&
!actualUgi.hasKerberosCredentials()) {
// Use login user for user that does not have either
// Use login user is only necessary when Kerberos is enabled
// but the actual user does not have either
// Kerberos credential or KMS delegation token for KMS operations
LOG.debug("using loginUser no KMS Delegation Token "
+ "no Kerberos Credentials");
LOG.debug("Using loginUser when Kerberos is enabled but the actual user" +
" does not have either KMS Delegation Token or Kerberos Credentials");
actualUgi = UserGroupInformation.getLoginUser();
}
return actualUgi;

View File

@ -2419,7 +2419,11 @@ public Void run() throws Exception {
public void doWebHDFSProxyUserTest(final boolean kerberos) throws Exception {
Configuration conf = new Configuration();
conf.set("hadoop.security.authentication", "kerberos");
if (kerberos) {
conf.set("hadoop.security.authentication", "kerberos");
}
UserGroupInformation.setConfiguration(conf);
final File testDir = getTestDir();
conf = createBaseKMSConf(testDir, conf);
if (kerberos) {