HDFS-10757. KMSClientProvider combined with KeyProviderCache can result in wrong UGI being used. Contributed by Xiaoyu Yao.
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/be723722 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/be723722 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/be723722 Branch: refs/heads/YARN-4752 Commit: be7237224819e2491aef91cd4f055c7efcf7b90d Parents: 23d7d53 Author: Xiaoyu Yao <x...@apache.org> Authored: Fri Oct 21 14:23:02 2016 -0700 Committer: Xiaoyu Yao <x...@apache.org> Committed: Fri Oct 21 14:23:02 2016 -0700 ---------------------------------------------------------------------- .../crypto/key/kms/KMSClientProvider.java | 52 ++++++++++---------- .../hadoop/security/UserGroupInformation.java | 14 ++++++ 2 files changed, 40 insertions(+), 26 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/be723722/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java index 701e116..db0ee85 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java @@ -373,7 +373,6 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension, private ConnectionConfigurator configurator; private DelegationTokenAuthenticatedURL.Token authToken; private final int authRetry; - private final UserGroupInformation actualUgi; @Override public String toString() { @@ -455,15 +454,6 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension, KMS_CLIENT_ENC_KEY_CACHE_NUM_REFILL_THREADS_DEFAULT), new EncryptedQueueRefiller()); authToken = new DelegationTokenAuthenticatedURL.Token(); - UserGroupInformation.AuthenticationMethod authMethod = - UserGroupInformation.getCurrentUser().getAuthenticationMethod(); - if (authMethod == UserGroupInformation.AuthenticationMethod.PROXY) { - actualUgi = UserGroupInformation.getCurrentUser().getRealUser(); - } else if (authMethod == UserGroupInformation.AuthenticationMethod.TOKEN) { - actualUgi = UserGroupInformation.getLoginUser(); - } else { - actualUgi =UserGroupInformation.getCurrentUser(); - } } private static Path extractKMSPath(URI uri) throws MalformedURLException, IOException { @@ -530,19 +520,9 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension, throws IOException { HttpURLConnection conn; try { - // if current UGI is different from UGI at constructor time, behave as - // proxyuser - UserGroupInformation currentUgi = UserGroupInformation.getCurrentUser(); - final String doAsUser = (currentUgi.getAuthenticationMethod() == - UserGroupInformation.AuthenticationMethod.PROXY) - ? currentUgi.getShortUserName() : null; - - // If current UGI contains kms-dt && is not proxy, doAs it to use its dt. - // Otherwise, create the HTTP connection using the UGI at constructor time - UserGroupInformation ugiToUse = - (currentUgiContainsKmsDt() && doAsUser == null) ? - currentUgi : actualUgi; - conn = ugiToUse.doAs(new PrivilegedExceptionAction<HttpURLConnection>() { + final String doAsUser = getDoAsUser(); + conn = getActualUgi().doAs(new PrivilegedExceptionAction + <HttpURLConnection>() { @Override public HttpURLConnection run() throws Exception { DelegationTokenAuthenticatedURL authUrl = @@ -919,7 +899,7 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension, token, url, doAsUser); final DelegationTokenAuthenticatedURL authUrl = new DelegationTokenAuthenticatedURL(configurator); - return actualUgi.doAs( + return getActualUgi().doAs( new PrivilegedExceptionAction<Long>() { @Override public Long run() throws Exception { @@ -942,7 +922,7 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension, final String doAsUser = getDoAsUser(); final DelegationTokenAuthenticatedURL.Token token = generateDelegationToken(dToken); - return actualUgi.doAs( + return getActualUgi().doAs( new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { @@ -1014,7 +994,7 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension, new DelegationTokenAuthenticatedURL(configurator); try { final String doAsUser = getDoAsUser(); - token = actualUgi.doAs(new PrivilegedExceptionAction<Token<?>>() { + token = getActualUgi().doAs(new PrivilegedExceptionAction<Token<?>>() { @Override public Token<?> run() throws Exception { // Not using the cached token here.. Creating a new token here @@ -1060,6 +1040,26 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension, return false; } + private UserGroupInformation getActualUgi() throws IOException { + final UserGroupInformation currentUgi = UserGroupInformation + .getCurrentUser(); + if (LOG.isDebugEnabled()) { + UserGroupInformation.logAllUserInfo(currentUgi); + } + // Use current user by default + UserGroupInformation actualUgi = currentUgi; + if (currentUgi.getRealUser() != null) { + // Use real user for proxy user + actualUgi = currentUgi.getRealUser(); + } else if (!currentUgiContainsKmsDt() && + !currentUgi.hasKerberosCredentials()) { + // Use login user for user that does not have either + // Kerberos credential or KMS delegation token for KMS operations + actualUgi = currentUgi.getLoginUser(); + } + return actualUgi; + } + /** * Shutdown valueQueue executor threads */ http://git-wip-us.apache.org/repos/asf/hadoop/blob/be723722/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java index e8711b0..bcaf303 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java @@ -1823,6 +1823,20 @@ public class UserGroupInformation { } } + public static void logAllUserInfo(UserGroupInformation ugi) throws + IOException { + if (LOG.isDebugEnabled()) { + LOG.debug("UGI: " + ugi); + if (ugi.getRealUser() != null) { + LOG.debug("+RealUGI: " + ugi.getRealUser()); + } + LOG.debug("+LoginUGI: " + ugi.getLoginUser()); + for (Token<?> token : ugi.getTokens()) { + LOG.debug("+UGI token: " + token); + } + } + } + private void print() throws IOException { System.out.println("User: " + getUserName()); System.out.print("Group Ids: "); --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-commits-h...@hadoop.apache.org
