Revert "HDFS-10757. KMSClientProvider combined with KeyProviderCache can result in wrong UGI being used. Contributed by Xiaoyu Yao."
This reverts commit be7237224819e2491aef91cd4f055c7efcf7b90d. Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/da901b6c Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/da901b6c Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/da901b6c Branch: refs/heads/YARN-4752 Commit: da901b6c1487b2e2184b300e05a7d0f6949d076b Parents: d4725bf Author: Xiaoyu Yao <x...@apache.org> Authored: Sun Oct 23 08:25:37 2016 -0700 Committer: Xiaoyu Yao <x...@apache.org> Committed: Sun Oct 23 08:25:37 2016 -0700 ---------------------------------------------------------------------- .../crypto/key/kms/KMSClientProvider.java | 52 ++++++++++---------- .../hadoop/security/UserGroupInformation.java | 14 ------ 2 files changed, 26 insertions(+), 40 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/da901b6c/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java index db0ee85..701e116 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java @@ -373,6 +373,7 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension, private ConnectionConfigurator configurator; private DelegationTokenAuthenticatedURL.Token authToken; private final int authRetry; + private final UserGroupInformation actualUgi; @Override public String toString() { @@ -454,6 +455,15 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension, KMS_CLIENT_ENC_KEY_CACHE_NUM_REFILL_THREADS_DEFAULT), new EncryptedQueueRefiller()); authToken = new DelegationTokenAuthenticatedURL.Token(); + UserGroupInformation.AuthenticationMethod authMethod = + UserGroupInformation.getCurrentUser().getAuthenticationMethod(); + if (authMethod == UserGroupInformation.AuthenticationMethod.PROXY) { + actualUgi = UserGroupInformation.getCurrentUser().getRealUser(); + } else if (authMethod == UserGroupInformation.AuthenticationMethod.TOKEN) { + actualUgi = UserGroupInformation.getLoginUser(); + } else { + actualUgi =UserGroupInformation.getCurrentUser(); + } } private static Path extractKMSPath(URI uri) throws MalformedURLException, IOException { @@ -520,9 +530,19 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension, throws IOException { HttpURLConnection conn; try { - final String doAsUser = getDoAsUser(); - conn = getActualUgi().doAs(new PrivilegedExceptionAction - <HttpURLConnection>() { + // if current UGI is different from UGI at constructor time, behave as + // proxyuser + UserGroupInformation currentUgi = UserGroupInformation.getCurrentUser(); + final String doAsUser = (currentUgi.getAuthenticationMethod() == + UserGroupInformation.AuthenticationMethod.PROXY) + ? currentUgi.getShortUserName() : null; + + // If current UGI contains kms-dt && is not proxy, doAs it to use its dt. + // Otherwise, create the HTTP connection using the UGI at constructor time + UserGroupInformation ugiToUse = + (currentUgiContainsKmsDt() && doAsUser == null) ? + currentUgi : actualUgi; + conn = ugiToUse.doAs(new PrivilegedExceptionAction<HttpURLConnection>() { @Override public HttpURLConnection run() throws Exception { DelegationTokenAuthenticatedURL authUrl = @@ -899,7 +919,7 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension, token, url, doAsUser); final DelegationTokenAuthenticatedURL authUrl = new DelegationTokenAuthenticatedURL(configurator); - return getActualUgi().doAs( + return actualUgi.doAs( new PrivilegedExceptionAction<Long>() { @Override public Long run() throws Exception { @@ -922,7 +942,7 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension, final String doAsUser = getDoAsUser(); final DelegationTokenAuthenticatedURL.Token token = generateDelegationToken(dToken); - return getActualUgi().doAs( + return actualUgi.doAs( new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { @@ -994,7 +1014,7 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension, new DelegationTokenAuthenticatedURL(configurator); try { final String doAsUser = getDoAsUser(); - token = getActualUgi().doAs(new PrivilegedExceptionAction<Token<?>>() { + token = actualUgi.doAs(new PrivilegedExceptionAction<Token<?>>() { @Override public Token<?> run() throws Exception { // Not using the cached token here.. Creating a new token here @@ -1040,26 +1060,6 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension, return false; } - private UserGroupInformation getActualUgi() throws IOException { - final UserGroupInformation currentUgi = UserGroupInformation - .getCurrentUser(); - if (LOG.isDebugEnabled()) { - UserGroupInformation.logAllUserInfo(currentUgi); - } - // Use current user by default - UserGroupInformation actualUgi = currentUgi; - if (currentUgi.getRealUser() != null) { - // Use real user for proxy user - actualUgi = currentUgi.getRealUser(); - } else if (!currentUgiContainsKmsDt() && - !currentUgi.hasKerberosCredentials()) { - // Use login user for user that does not have either - // Kerberos credential or KMS delegation token for KMS operations - actualUgi = currentUgi.getLoginUser(); - } - return actualUgi; - } - /** * Shutdown valueQueue executor threads */ http://git-wip-us.apache.org/repos/asf/hadoop/blob/da901b6c/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java index bcaf303..e8711b0 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java @@ -1823,20 +1823,6 @@ public class UserGroupInformation { } } - public static void logAllUserInfo(UserGroupInformation ugi) throws - IOException { - if (LOG.isDebugEnabled()) { - LOG.debug("UGI: " + ugi); - if (ugi.getRealUser() != null) { - LOG.debug("+RealUGI: " + ugi.getRealUser()); - } - LOG.debug("+LoginUGI: " + ugi.getLoginUser()); - for (Token<?> token : ugi.getTokens()) { - LOG.debug("+UGI token: " + token); - } - } - } - private void print() throws IOException { System.out.println("User: " + getUserName()); System.out.print("Group Ids: "); --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-commits-h...@hadoop.apache.org
