YARN-6332. Make RegistrySecurity use short user names for ZK ACLs. Contributed by Billie Rinaldi
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/6d95866d Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/6d95866d Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/6d95866d Branch: refs/heads/HADOOP-13345 Commit: 6d95866dcf278dd7789604787691fe8ee8d9cc9f Parents: d69a82c Author: Jian He <[email protected]> Authored: Thu Mar 16 12:59:55 2017 +0800 Committer: Jian He <[email protected]> Committed: Thu Mar 16 12:59:55 2017 +0800 ---------------------------------------------------------------------- .../registry/client/impl/zk/RegistrySecurity.java | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/6d95866d/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/main/java/org/apache/hadoop/registry/client/impl/zk/RegistrySecurity.java ---------------------------------------------------------------------- diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/main/java/org/apache/hadoop/registry/client/impl/zk/RegistrySecurity.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/main/java/org/apache/hadoop/registry/client/impl/zk/RegistrySecurity.java index bdb79be..23fadb5 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/main/java/org/apache/hadoop/registry/client/impl/zk/RegistrySecurity.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/main/java/org/apache/hadoop/registry/client/impl/zk/RegistrySecurity.java @@ -154,6 +154,8 @@ public class RegistrySecurity extends AbstractService { */ private final List<ACL> systemACLs = new ArrayList<ACL>(); + private boolean usesRealm = true; + /** * A list of digest ACLs which can be added to permissions * âand cleared later. @@ -232,6 +234,7 @@ public class RegistrySecurity extends AbstractService { // System Accounts String system = getOrFail(KEY_REGISTRY_SYSTEM_ACCOUNTS, DEFAULT_REGISTRY_SYSTEM_ACCOUNTS); + usesRealm = system.contains("@"); systemACLs.addAll(buildACLs(system, kerberosRealm, ZooDefs.Perms.ALL)); @@ -395,7 +398,12 @@ public class RegistrySecurity extends AbstractService { * @return a new ACL */ public ACL createSaslACL(UserGroupInformation ugi, int perms) { - String userName = ugi.getUserName(); + String userName = null; + if (usesRealm) { + userName = ugi.getUserName(); + } else { + userName = ugi.getShortUserName(); + } return new ACL(perms, new Id(SCHEME_SASL, userName)); } @@ -958,7 +966,7 @@ public class RegistrySecurity extends AbstractService { * @return an ACL for the user */ public ACL createACLfromUsername(String username, int perms) { - if (!username.contains("@")) { + if (usesRealm && !username.contains("@")) { username = username + "@" + kerberosRealm; if (LOG.isDebugEnabled()) { LOG.debug("Appending kerberos realm to make {}", username); --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
