HADOOP-13988. KMSClientProvider does not work with WebHDFS and Apache Knox w/ProxyUser. Contributed by Greg Senia and Xiaoyu Yao.
(cherry picked from commit a46933e8ce4c1715c11e3e3283bf0e8c2b53b837) (cherry picked from commit 9fa98cc45e7562b0c6ca56851a60e1930a437e17) Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/9fd4e8d5 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/9fd4e8d5 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/9fd4e8d5 Branch: refs/heads/branch-2.8 Commit: 9fd4e8d5ee0e9a617df46a7c3eaa157b88a6c63c Parents: 04fbda4 Author: Xiaoyu Yao <x...@apache.org> Authored: Wed Jan 25 13:26:50 2017 -0800 Committer: Xiao Chen <x...@apache.org> Committed: Mon Apr 9 11:39:08 2018 -0700 ---------------------------------------------------------------------- .../hadoop/crypto/key/kms/KMSClientProvider.java | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/9fd4e8d5/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java index c02a67c..0f2a6e2 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java @@ -1033,10 +1033,9 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension, return tokens; } - private boolean currentUgiContainsKmsDt() throws IOException { - // Add existing credentials from current UGI, since provider is cached. - Credentials creds = UserGroupInformation.getCurrentUser(). - getCredentials(); + private boolean containsKmsDt(UserGroupInformation ugi) throws IOException { + // Add existing credentials from the UGI, since provider is cached. + Credentials creds = ugi.getCredentials(); if (!creds.getAllTokens().isEmpty()) { LOG.debug("Searching for token that matches service: {}", dtService); org.apache.hadoop.security.token.Token<? extends TokenIdentifier> @@ -1059,11 +1058,15 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension, if (currentUgi.getRealUser() != null) { // Use real user for proxy user actualUgi = currentUgi.getRealUser(); - } else if (!currentUgiContainsKmsDt() && - !currentUgi.hasKerberosCredentials()) { + } + + if (!containsKmsDt(actualUgi) && + !actualUgi.hasKerberosCredentials()) { // Use login user for user that does not have either // Kerberos credential or KMS delegation token for KMS operations - actualUgi = currentUgi.getLoginUser(); + LOG.debug("using loginUser no KMS Delegation Token " + + "no Kerberos Credentials"); + actualUgi = UserGroupInformation.getLoginUser(); } return actualUgi; } --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-commits-h...@hadoop.apache.org