YARN-6332. Make RegistrySecurity use short user names for ZK ACLs. Contributed by Billie Rinaldi
This commit is contained in:
parent
d69a82c89c
commit
6d95866dcf
@ -154,6 +154,8 @@ private enum AccessPolicy {
|
|||||||
*/
|
*/
|
||||||
private final List<ACL> systemACLs = new ArrayList<ACL>();
|
private final List<ACL> systemACLs = new ArrayList<ACL>();
|
||||||
|
|
||||||
|
private boolean usesRealm = true;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A list of digest ACLs which can be added to permissions
|
* A list of digest ACLs which can be added to permissions
|
||||||
* —and cleared later.
|
* —and cleared later.
|
||||||
@ -232,6 +234,7 @@ private void initSecurity() throws IOException {
|
|||||||
// System Accounts
|
// System Accounts
|
||||||
String system = getOrFail(KEY_REGISTRY_SYSTEM_ACCOUNTS,
|
String system = getOrFail(KEY_REGISTRY_SYSTEM_ACCOUNTS,
|
||||||
DEFAULT_REGISTRY_SYSTEM_ACCOUNTS);
|
DEFAULT_REGISTRY_SYSTEM_ACCOUNTS);
|
||||||
|
usesRealm = system.contains("@");
|
||||||
|
|
||||||
systemACLs.addAll(buildACLs(system, kerberosRealm, ZooDefs.Perms.ALL));
|
systemACLs.addAll(buildACLs(system, kerberosRealm, ZooDefs.Perms.ALL));
|
||||||
|
|
||||||
@ -395,7 +398,12 @@ public ACL createSaslACLFromCurrentUser(int perms) throws IOException {
|
|||||||
* @return a new ACL
|
* @return a new ACL
|
||||||
*/
|
*/
|
||||||
public ACL createSaslACL(UserGroupInformation ugi, int perms) {
|
public ACL createSaslACL(UserGroupInformation ugi, int perms) {
|
||||||
String userName = ugi.getUserName();
|
String userName = null;
|
||||||
|
if (usesRealm) {
|
||||||
|
userName = ugi.getUserName();
|
||||||
|
} else {
|
||||||
|
userName = ugi.getShortUserName();
|
||||||
|
}
|
||||||
return new ACL(perms, new Id(SCHEME_SASL, userName));
|
return new ACL(perms, new Id(SCHEME_SASL, userName));
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -958,7 +966,7 @@ public ACL createACLForUser(UserGroupInformation ugi, int perms) {
|
|||||||
* @return an ACL for the user
|
* @return an ACL for the user
|
||||||
*/
|
*/
|
||||||
public ACL createACLfromUsername(String username, int perms) {
|
public ACL createACLfromUsername(String username, int perms) {
|
||||||
if (!username.contains("@")) {
|
if (usesRealm && !username.contains("@")) {
|
||||||
username = username + "@" + kerberosRealm;
|
username = username + "@" + kerberosRealm;
|
||||||
if (LOG.isDebugEnabled()) {
|
if (LOG.isDebugEnabled()) {
|
||||||
LOG.debug("Appending kerberos realm to make {}", username);
|
LOG.debug("Appending kerberos realm to make {}", username);
|
||||||
|
Loading…
Reference in New Issue
Block a user