duongkame commented on code in PR #3911:
URL: https://github.com/apache/ozone/pull/3911#discussion_r1010814047
##########
hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/rpc/RpcClient.java:
##########
@@ -510,7 +511,23 @@ public OzoneVolume getVolumeDetails(String volumeName)
@Override
public S3VolumeContext getS3VolumeContext() throws IOException {
- return ozoneManagerClient.getS3VolumeContext();
+ S3VolumeContext resp = ozoneManagerClient.getS3VolumeContext();
+ String userPrincipal = resp.getUserPrincipal();
+ updateS3Principal(userPrincipal);
+ return resp;
+ }
+
+ private void updateS3Principal(String userPrincipal) {
+ S3Auth s3Auth = this.getThreadLocalS3Auth();
+ // Update user principal if needed to be used for KMS client
+ if (s3Auth != null) {
+ // Update userPrincipal field with the value returned from OM. So that
+ // in multi-tenancy, KMS client can use the correct identity
+ // (instead of using accessId) to communicate with KMS.
+ LOG.debug("Updating S3Auth.userPrincipal to {}", userPrincipal);
+ s3Auth.setUserPrincipal(userPrincipal);
+ this.setThreadLocalS3Auth(s3Auth);
Review Comment:
Basically, when a client calls S3G get api, the client's AwsAccessId is
stored as the current UserPrincipal in threadlocal. Then S3G calls OM, through
RpcClient, to grab the key information and OM internally resolves the user
information to the right Kerberos UserPrincipal and returns to S3G. RpcClient
updates this actual Kerberos UserPrincipal in its thread context and uses it to
talk to datanodes.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
