diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java index df6768dac1..ccc896821f 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java @@ -1071,10 +1071,9 @@ private Text getDelegationTokenService() throws IOException { return dtService; } - private boolean currentUgiContainsKmsDt() throws IOException { - // Add existing credentials from current UGI, since provider is cached. - Credentials creds = UserGroupInformation.getCurrentUser(). - getCredentials(); + private boolean containsKmsDt(UserGroupInformation ugi) throws IOException { + // Add existing credentials from the UGI, since provider is cached. + Credentials creds = ugi.getCredentials(); if (!creds.getAllTokens().isEmpty()) { org.apache.hadoop.security.token.Token dToken = creds.getToken(getDelegationTokenService()); @@ -1096,11 +1095,15 @@ private UserGroupInformation getActualUgi() throws IOException { if (currentUgi.getRealUser() != null) { // Use real user for proxy user actualUgi = currentUgi.getRealUser(); - } else if (!currentUgiContainsKmsDt() && - !currentUgi.hasKerberosCredentials()) { + } + + if (!containsKmsDt(actualUgi) && + !actualUgi.hasKerberosCredentials()) { // Use login user for user that does not have either // Kerberos credential or KMS delegation token for KMS operations - actualUgi = currentUgi.getLoginUser(); + LOG.debug("using loginUser no KMS Delegation Token " + + "no Kerberos Credentials"); + actualUgi = UserGroupInformation.getLoginUser(); } return actualUgi; }