HADOOP-11069. KMSClientProvider should use getAuthenticationMethod() to determine if in proxyuser mode or not. (tucu)

2014-09-05 10:04:07 -07:00 · 2014-09-05 10:04:07 -07:00 · 0f3c19c1bb
parent 71c8d735f5
commit 0f3c19c1bb
3 changed files with 9 additions and 6 deletions
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@ -765,6 +765,9 @@ Release 2.6.0 - UNRELEASED
    HADOOP-11067. warning message 'ssl.client.truststore.location has not
    been set' gets printed for hftp command. (Xiaoyu Yao via Arpit Agarwal)

+    HADOOP-11069. KMSClientProvider should use getAuthenticationMethod() to
+    determine if in proxyuser mode or not. (tucu)
+
 Release 2.5.1 - UNRELEASED

  INCOMPATIBLE CHANGES
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
@ -385,9 +385,9 @@ private HttpURLConnection createConnection(final URL url, String method)
      // if current UGI is different from UGI at constructor time, behave as
      // proxyuser
      UserGroupInformation currentUgi = UserGroupInformation.getCurrentUser();
-      final String doAsUser =
-          (loginUgi.getShortUserName().equals(currentUgi.getShortUserName()))
-          ? null : currentUgi.getShortUserName();
+      final String doAsUser = (currentUgi.getAuthenticationMethod() ==
+          UserGroupInformation.AuthenticationMethod.PROXY)
+                              ? currentUgi.getShortUserName() : null;

      // creating the HTTP connection using the current UGI at constructor time
      conn = loginUgi.doAs(new PrivilegedExceptionAction<HttpURLConnection>() {
--- a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java
+++ b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java
@ -1157,7 +1157,7 @@ public Void call() throws Exception {
        final URI uri = createKMSUri(getKMSUrl());

        // proxyuser client using kerberos credentials
-        UserGroupInformation clientUgi = UserGroupInformation.
+        final UserGroupInformation clientUgi = UserGroupInformation.
            loginUserFromKeytabAndReturnUGI("client", keytab.getAbsolutePath());
        clientUgi.doAs(new PrivilegedExceptionAction<Void>() {
          @Override
@ -1167,7 +1167,7 @@ public Void run() throws Exception {

            // authorized proxyuser
            UserGroupInformation fooUgi =
-                UserGroupInformation.createRemoteUser("foo");
+                UserGroupInformation.createProxyUser("foo", clientUgi);
            fooUgi.doAs(new PrivilegedExceptionAction<Void>() {
              @Override
              public Void run() throws Exception {
@ -1179,7 +1179,7 @@ public Void run() throws Exception {

            // unauthorized proxyuser
            UserGroupInformation foo1Ugi =
-                UserGroupInformation.createRemoteUser("foo1");
+                UserGroupInformation.createProxyUser("foo1", clientUgi);
            foo1Ugi.doAs(new PrivilegedExceptionAction<Void>() {
              @Override
              public Void run() throws Exception {