From da901b6c1487b2e2184b300e05a7d0f6949d076b Mon Sep 17 00:00:00 2001 From: Xiaoyu Yao Date: Sun, 23 Oct 2016 08:25:37 -0700 Subject: [PATCH] Revert "HDFS-10757. KMSClientProvider combined with KeyProviderCache can result in wrong UGI being used. Contributed by Xiaoyu Yao." This reverts commit be7237224819e2491aef91cd4f055c7efcf7b90d. --- .../crypto/key/kms/KMSClientProvider.java | 52 +++++++++---------- .../hadoop/security/UserGroupInformation.java | 14 ----- 2 files changed, 26 insertions(+), 40 deletions(-) diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java index db0ee85033..701e116f99 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java @@ -373,6 +373,7 @@ public static String checkNotEmpty(String s, String name) private ConnectionConfigurator configurator; private DelegationTokenAuthenticatedURL.Token authToken; private final int authRetry; + private final UserGroupInformation actualUgi; @Override public String toString() { @@ -454,6 +455,15 @@ public KMSClientProvider(URI uri, Configuration conf) throws IOException { KMS_CLIENT_ENC_KEY_CACHE_NUM_REFILL_THREADS_DEFAULT), new EncryptedQueueRefiller()); authToken = new DelegationTokenAuthenticatedURL.Token(); + UserGroupInformation.AuthenticationMethod authMethod = + UserGroupInformation.getCurrentUser().getAuthenticationMethod(); + if (authMethod == UserGroupInformation.AuthenticationMethod.PROXY) { + actualUgi = UserGroupInformation.getCurrentUser().getRealUser(); + } else if (authMethod == UserGroupInformation.AuthenticationMethod.TOKEN) { + actualUgi = UserGroupInformation.getLoginUser(); + } else { + actualUgi =UserGroupInformation.getCurrentUser(); + } } private static Path extractKMSPath(URI uri) throws MalformedURLException, IOException { @@ -520,9 +530,19 @@ private HttpURLConnection createConnection(final URL url, String method) throws IOException { HttpURLConnection conn; try { - final String doAsUser = getDoAsUser(); - conn = getActualUgi().doAs(new PrivilegedExceptionAction - () { + // if current UGI is different from UGI at constructor time, behave as + // proxyuser + UserGroupInformation currentUgi = UserGroupInformation.getCurrentUser(); + final String doAsUser = (currentUgi.getAuthenticationMethod() == + UserGroupInformation.AuthenticationMethod.PROXY) + ? currentUgi.getShortUserName() : null; + + // If current UGI contains kms-dt && is not proxy, doAs it to use its dt. + // Otherwise, create the HTTP connection using the UGI at constructor time + UserGroupInformation ugiToUse = + (currentUgiContainsKmsDt() && doAsUser == null) ? + currentUgi : actualUgi; + conn = ugiToUse.doAs(new PrivilegedExceptionAction() { @Override public HttpURLConnection run() throws Exception { DelegationTokenAuthenticatedURL authUrl = @@ -899,7 +919,7 @@ public long renewDelegationToken(final Token dToken) throws IOException { token, url, doAsUser); final DelegationTokenAuthenticatedURL authUrl = new DelegationTokenAuthenticatedURL(configurator); - return getActualUgi().doAs( + return actualUgi.doAs( new PrivilegedExceptionAction() { @Override public Long run() throws Exception { @@ -922,7 +942,7 @@ public Void cancelDelegationToken(final Token dToken) throws IOException { final String doAsUser = getDoAsUser(); final DelegationTokenAuthenticatedURL.Token token = generateDelegationToken(dToken); - return getActualUgi().doAs( + return actualUgi.doAs( new PrivilegedExceptionAction() { @Override public Void run() throws Exception { @@ -994,7 +1014,7 @@ public Token[] addDelegationTokens(final String renewer, new DelegationTokenAuthenticatedURL(configurator); try { final String doAsUser = getDoAsUser(); - token = getActualUgi().doAs(new PrivilegedExceptionAction>() { + token = actualUgi.doAs(new PrivilegedExceptionAction>() { @Override public Token run() throws Exception { // Not using the cached token here.. Creating a new token here @@ -1040,26 +1060,6 @@ private boolean currentUgiContainsKmsDt() throws IOException { return false; } - private UserGroupInformation getActualUgi() throws IOException { - final UserGroupInformation currentUgi = UserGroupInformation - .getCurrentUser(); - if (LOG.isDebugEnabled()) { - UserGroupInformation.logAllUserInfo(currentUgi); - } - // Use current user by default - UserGroupInformation actualUgi = currentUgi; - if (currentUgi.getRealUser() != null) { - // Use real user for proxy user - actualUgi = currentUgi.getRealUser(); - } else if (!currentUgiContainsKmsDt() && - !currentUgi.hasKerberosCredentials()) { - // Use login user for user that does not have either - // Kerberos credential or KMS delegation token for KMS operations - actualUgi = currentUgi.getLoginUser(); - } - return actualUgi; - } - /** * Shutdown valueQueue executor threads */ diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java index bcaf303d17..e8711b0394 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java @@ -1823,20 +1823,6 @@ private void logPrivilegedAction(Subject subject, Object action) { } } - public static void logAllUserInfo(UserGroupInformation ugi) throws - IOException { - if (LOG.isDebugEnabled()) { - LOG.debug("UGI: " + ugi); - if (ugi.getRealUser() != null) { - LOG.debug("+RealUGI: " + ugi.getRealUser()); - } - LOG.debug("+LoginUGI: " + ugi.getLoginUser()); - for (Token token : ugi.getTokens()) { - LOG.debug("+UGI token: " + token); - } - } - } - private void print() throws IOException { System.out.println("User: " + getUserName()); System.out.print("Group Ids: ");