YARN-6332. Make RegistrySecurity use short user names for ZK ACLs. Contributed by Billie Rinaldi

This commit is contained in:
Jian He 2017-03-16 12:59:55 +08:00
parent d69a82c89c
commit 6d95866dcf

View File

@ -154,6 +154,8 @@ private enum AccessPolicy {
*/ */
private final List<ACL> systemACLs = new ArrayList<ACL>(); private final List<ACL> systemACLs = new ArrayList<ACL>();
private boolean usesRealm = true;
/** /**
* A list of digest ACLs which can be added to permissions * A list of digest ACLs which can be added to permissions
* and cleared later. * and cleared later.
@ -232,6 +234,7 @@ private void initSecurity() throws IOException {
// System Accounts // System Accounts
String system = getOrFail(KEY_REGISTRY_SYSTEM_ACCOUNTS, String system = getOrFail(KEY_REGISTRY_SYSTEM_ACCOUNTS,
DEFAULT_REGISTRY_SYSTEM_ACCOUNTS); DEFAULT_REGISTRY_SYSTEM_ACCOUNTS);
usesRealm = system.contains("@");
systemACLs.addAll(buildACLs(system, kerberosRealm, ZooDefs.Perms.ALL)); systemACLs.addAll(buildACLs(system, kerberosRealm, ZooDefs.Perms.ALL));
@ -395,7 +398,12 @@ public ACL createSaslACLFromCurrentUser(int perms) throws IOException {
* @return a new ACL * @return a new ACL
*/ */
public ACL createSaslACL(UserGroupInformation ugi, int perms) { public ACL createSaslACL(UserGroupInformation ugi, int perms) {
String userName = ugi.getUserName(); String userName = null;
if (usesRealm) {
userName = ugi.getUserName();
} else {
userName = ugi.getShortUserName();
}
return new ACL(perms, new Id(SCHEME_SASL, userName)); return new ACL(perms, new Id(SCHEME_SASL, userName));
} }
@ -958,7 +966,7 @@ public ACL createACLForUser(UserGroupInformation ugi, int perms) {
* @return an ACL for the user * @return an ACL for the user
*/ */
public ACL createACLfromUsername(String username, int perms) { public ACL createACLfromUsername(String username, int perms) {
if (!username.contains("@")) { if (usesRealm && !username.contains("@")) {
username = username + "@" + kerberosRealm; username = username + "@" + kerberosRealm;
if (LOG.isDebugEnabled()) { if (LOG.isDebugEnabled()) {
LOG.debug("Appending kerberos realm to make {}", username); LOG.debug("Appending kerberos realm to make {}", username);