Author: tgraves Date: Thu Dec 20 20:50:32 2012 New Revision: 1424698 URL: http://svn.apache.org/viewvc?rev=1424698&view=rev Log: HADOOP-8561. Introduce HADOOP_PROXY_USER for secure impersonation in child hadoop client processes (Yu Gao via tgraves)
Added: hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestProxyUserFromEnv.java - copied unchanged from r1422429, hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestProxyUserFromEnv.java Modified: hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/CHANGES.txt hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java Modified: hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/CHANGES.txt URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/CHANGES.txt?rev=1424698&r1=1424697&r2=1424698&view=diff ============================================================================== --- hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/CHANGES.txt (original) +++ hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/CHANGES.txt Thu Dec 20 20:50:32 2012 @@ -15,6 +15,9 @@ Release 0.23.6 - UNRELEASED HADOOP-9108. Add a method to clear terminateCalled to ExitUtil for test cases (Kihwal Lee via tgraves) + HADOOP-8561. Introduce HADOOP_PROXY_USER for secure impersonation in + child hadoop client processes (Yu Gao via tgraves) + OPTIMIZATIONS BUG FIXES Modified: hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java?rev=1424698&r1=1424697&r2=1424698&view=diff ============================================================================== --- hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java (original) +++ hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java Thu Dec 20 20:50:32 2012 @@ -81,6 +81,7 @@ public class UserGroupInformation { */ private static final float TICKET_RENEW_WINDOW = 0.80f; static final String HADOOP_USER_NAME = "HADOOP_USER_NAME"; + static final String HADOOP_PROXY_USER = "HADOOP_PROXY_USER"; /** * UgiMetrics maintains UGI activity statistics @@ -502,12 +503,20 @@ public class UserGroupInformation { subject); } login.login(); - loginUser = new UserGroupInformation(subject); - loginUser.setLogin(login); - loginUser.setAuthenticationMethod(isSecurityEnabled() ? - AuthenticationMethod.KERBEROS : - AuthenticationMethod.SIMPLE); - loginUser = new UserGroupInformation(login.getSubject()); + UserGroupInformation realUser = new UserGroupInformation(subject); + realUser.setLogin(login); + realUser.setAuthenticationMethod(isSecurityEnabled() ? + AuthenticationMethod.KERBEROS : + AuthenticationMethod.SIMPLE); + realUser = new UserGroupInformation(login.getSubject()); + // If the HADOOP_PROXY_USER environment variable or property + // is specified, create a proxy user as the logged in user. + String proxyUser = System.getenv(HADOOP_PROXY_USER); + if (proxyUser == null) { + proxyUser = System.getProperty(HADOOP_PROXY_USER); + } + loginUser = proxyUser == null ? realUser : createProxyUser(proxyUser, realUser); + String fileLocation = System.getenv(HADOOP_TOKEN_FILE_LOCATION); if (fileLocation != null) { // load the token storage file and put all of the tokens into the