From 7d0adddf095962751a4e1f0fadc21720d51ceced Mon Sep 17 00:00:00 2001 From: zhoukang Date: Tue, 5 Nov 2019 09:13:29 +0800 Subject: [PATCH] YARN-9689: Support proxy user for Router to support kerberos (#1654) --- .../router/clientrm/FederationClientInterceptor.java | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/src/main/java/org/apache/hadoop/yarn/server/router/clientrm/FederationClientInterceptor.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/src/main/java/org/apache/hadoop/yarn/server/router/clientrm/FederationClientInterceptor.java index 3422fd15f8..c4ae6ab4d4 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/src/main/java/org/apache/hadoop/yarn/server/router/clientrm/FederationClientInterceptor.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/src/main/java/org/apache/hadoop/yarn/server/router/clientrm/FederationClientInterceptor.java @@ -38,6 +38,8 @@ import java.util.concurrent.TimeUnit; import org.apache.commons.lang3.NotImplementedException; import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.fs.CommonConfigurationKeys; +import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.yarn.api.ApplicationClientProtocol; import org.apache.hadoop.yarn.api.protocolrecords.CancelDelegationTokenRequest; import org.apache.hadoop.yarn.api.protocolrecords.CancelDelegationTokenResponse; @@ -214,8 +216,15 @@ protected ApplicationClientProtocol getClientRMProxyForSubCluster( ApplicationClientProtocol clientRMProxy = null; try { + boolean serviceAuthEnabled = getConf().getBoolean( + CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, false); + UserGroupInformation realUser = user; + if (serviceAuthEnabled) { + realUser = UserGroupInformation.createProxyUser( + user.getShortUserName(), UserGroupInformation.getLoginUser()); + } clientRMProxy = FederationProxyProviderUtil.createRMProxy(getConf(), - ApplicationClientProtocol.class, subClusterId, user); + ApplicationClientProtocol.class, subClusterId, realUser); } catch (Exception e) { RouterServerUtil.logAndThrowException( "Unable to create the interface to reach the SubCluster "