HADOOP-13988. KMSClientProvider does not work with WebHDFS and Apache Knox w/ProxyUser. Contributed by Greg Senia and Xiaoyu Yao.
This commit is contained in:
parent
7fc3e68a87
commit
a46933e8ce
@ -1071,10 +1071,9 @@ private Text getDelegationTokenService() throws IOException {
|
|||||||
return dtService;
|
return dtService;
|
||||||
}
|
}
|
||||||
|
|
||||||
private boolean currentUgiContainsKmsDt() throws IOException {
|
private boolean containsKmsDt(UserGroupInformation ugi) throws IOException {
|
||||||
// Add existing credentials from current UGI, since provider is cached.
|
// Add existing credentials from the UGI, since provider is cached.
|
||||||
Credentials creds = UserGroupInformation.getCurrentUser().
|
Credentials creds = ugi.getCredentials();
|
||||||
getCredentials();
|
|
||||||
if (!creds.getAllTokens().isEmpty()) {
|
if (!creds.getAllTokens().isEmpty()) {
|
||||||
org.apache.hadoop.security.token.Token<? extends TokenIdentifier>
|
org.apache.hadoop.security.token.Token<? extends TokenIdentifier>
|
||||||
dToken = creds.getToken(getDelegationTokenService());
|
dToken = creds.getToken(getDelegationTokenService());
|
||||||
@ -1096,11 +1095,15 @@ private UserGroupInformation getActualUgi() throws IOException {
|
|||||||
if (currentUgi.getRealUser() != null) {
|
if (currentUgi.getRealUser() != null) {
|
||||||
// Use real user for proxy user
|
// Use real user for proxy user
|
||||||
actualUgi = currentUgi.getRealUser();
|
actualUgi = currentUgi.getRealUser();
|
||||||
} else if (!currentUgiContainsKmsDt() &&
|
}
|
||||||
!currentUgi.hasKerberosCredentials()) {
|
|
||||||
|
if (!containsKmsDt(actualUgi) &&
|
||||||
|
!actualUgi.hasKerberosCredentials()) {
|
||||||
// Use login user for user that does not have either
|
// Use login user for user that does not have either
|
||||||
// Kerberos credential or KMS delegation token for KMS operations
|
// Kerberos credential or KMS delegation token for KMS operations
|
||||||
actualUgi = currentUgi.getLoginUser();
|
LOG.debug("using loginUser no KMS Delegation Token "
|
||||||
|
+ "no Kerberos Credentials");
|
||||||
|
actualUgi = UserGroupInformation.getLoginUser();
|
||||||
}
|
}
|
||||||
return actualUgi;
|
return actualUgi;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user