HADOOP-11482. Use correct UGI when KMSClientProvider is called by a proxy user. Contributed by Arun Suresh.
This commit is contained in:
parent
56df5f41eb
commit
4b00935643
@ -756,6 +756,9 @@ Release 2.7.0 - UNRELEASED
|
||||
HADOOP-11507 Hadoop RPC Authentication problem with different user locale.
|
||||
(Talat UYARER via stevel)
|
||||
|
||||
HADOOP-11482. Use correct UGI when KMSClientProvider is called by a proxy
|
||||
user. Contributed by Arun Suresh.
|
||||
|
||||
Release 2.6.0 - 2014-11-18
|
||||
|
||||
INCOMPATIBLE CHANGES
|
||||
|
@ -787,25 +787,44 @@ public int getEncKeyQueueSize(String keyName) throws IOException {
|
||||
}
|
||||
|
||||
@Override
|
||||
public Token<?>[] addDelegationTokens(String renewer,
|
||||
public Token<?>[] addDelegationTokens(final String renewer,
|
||||
Credentials credentials) throws IOException {
|
||||
Token<?>[] tokens = null;
|
||||
Text dtService = getDelegationTokenService();
|
||||
Token<?> token = credentials.getToken(dtService);
|
||||
if (token == null) {
|
||||
URL url = createURL(null, null, null, null);
|
||||
DelegationTokenAuthenticatedURL authUrl =
|
||||
final URL url = createURL(null, null, null, null);
|
||||
final DelegationTokenAuthenticatedURL authUrl =
|
||||
new DelegationTokenAuthenticatedURL(configurator);
|
||||
try {
|
||||
token = authUrl.getDelegationToken(url, authToken, renewer);
|
||||
// 'actualUGI' is the UGI of the user creating the client
|
||||
// It is possible that the creator of the KMSClientProvier
|
||||
// calls this method on behalf of a proxyUser (the doAsUser).
|
||||
// In which case this call has to be made as the proxy user.
|
||||
UserGroupInformation currentUgi = UserGroupInformation.getCurrentUser();
|
||||
final String doAsUser = (currentUgi.getAuthenticationMethod() ==
|
||||
UserGroupInformation.AuthenticationMethod.PROXY)
|
||||
? currentUgi.getShortUserName() : null;
|
||||
|
||||
token = actualUgi.doAs(new PrivilegedExceptionAction<Token<?>>() {
|
||||
@Override
|
||||
public Token<?> run() throws Exception {
|
||||
// Not using the cached token here.. Creating a new token here
|
||||
// everytime.
|
||||
return authUrl.getDelegationToken(url,
|
||||
new DelegationTokenAuthenticatedURL.Token(), renewer, doAsUser);
|
||||
}
|
||||
});
|
||||
if (token != null) {
|
||||
credentials.addToken(token.getService(), token);
|
||||
tokens = new Token<?>[] { token };
|
||||
} else {
|
||||
throw new IOException("Got NULL as delegation token");
|
||||
}
|
||||
} catch (AuthenticationException ex) {
|
||||
throw new IOException(ex);
|
||||
} catch (InterruptedException e) {
|
||||
Thread.currentThread().interrupt();
|
||||
} catch (Exception e) {
|
||||
throw new IOException(e);
|
||||
}
|
||||
}
|
||||
return tokens;
|
||||
|
@ -284,6 +284,7 @@ public void testStartStop(final boolean ssl, final boolean kerberos)
|
||||
password = null;
|
||||
}
|
||||
|
||||
conf.set("hadoop.kms.authentication.token.validity", "1");
|
||||
if (kerberos) {
|
||||
conf.set("hadoop.kms.authentication.type", "kerberos");
|
||||
conf.set("hadoop.kms.authentication.kerberos.keytab",
|
||||
@ -337,6 +338,11 @@ public Void run() throws Exception {
|
||||
final KeyProvider kp = new KMSClientProvider(uri, conf);
|
||||
// getKeys() empty
|
||||
Assert.assertTrue(kp.getKeys().isEmpty());
|
||||
|
||||
Thread.sleep(4000);
|
||||
Token<?>[] tokens = ((KMSClientProvider)kp).addDelegationTokens("myuser", new Credentials());
|
||||
Assert.assertEquals(1, tokens.length);
|
||||
Assert.assertEquals("kms-dt", tokens[0].getKind().toString());
|
||||
return null;
|
||||
}
|
||||
});
|
||||
@ -346,6 +352,7 @@ public Void run() throws Exception {
|
||||
// getKeys() empty
|
||||
Assert.assertTrue(kp.getKeys().isEmpty());
|
||||
|
||||
Thread.sleep(4000);
|
||||
Token<?>[] tokens = ((KMSClientProvider)kp).addDelegationTokens("myuser", new Credentials());
|
||||
Assert.assertEquals(1, tokens.length);
|
||||
Assert.assertEquals("kms-dt", tokens[0].getKind().toString());
|
||||
|
Loading…
Reference in New Issue
Block a user