Apache
/
hadoop
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

HADOOP-11482. Use correct UGI when KMSClientProvider is called by a proxy user. Contributed by Arun Suresh.

This commit is contained in:
Andrew Wang 2015-01-23 12:11:15 -08:00
parent 56df5f41eb
commit 4b00935643
3 changed files with 35 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
hadoop-common-project/hadoop-common/CHANGES.txt
View File

@ -756,6 +756,9 @@ Release 2.7.0 - UNRELEASED
HADOOP-11507 Hadoop RPC Authentication problem with different user locale. HADOOP-11507 Hadoop RPC Authentication problem with different user locale.
(Talat UYARER via stevel) (Talat UYARER via stevel)
HADOOP-11482. Use correct UGI when KMSClientProvider is called by a proxy
user. Contributed by Arun Suresh.
Release 2.6.0 - 2014-11-18 Release 2.6.0 - 2014-11-18
INCOMPATIBLE CHANGES INCOMPATIBLE CHANGES

31
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
View File

@ -787,25 +787,44 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension,
} }
@Override @Override
public Token<?>[] addDelegationTokens(String renewer, public Token<?>[] addDelegationTokens(final String renewer,
Credentials credentials) throws IOException { Credentials credentials) throws IOException {
Token<?>[] tokens = null; Token<?>[] tokens = null;
Text dtService = getDelegationTokenService(); Text dtService = getDelegationTokenService();
Token<?> token = credentials.getToken(dtService); Token<?> token = credentials.getToken(dtService);
if (token == null) { if (token == null) {
URL url = createURL(null, null, null, null); final URL url = createURL(null, null, null, null);
DelegationTokenAuthenticatedURL authUrl = final DelegationTokenAuthenticatedURL authUrl =
new DelegationTokenAuthenticatedURL(configurator); new DelegationTokenAuthenticatedURL(configurator);
try { try {
token = authUrl.getDelegationToken(url, authToken, renewer); // 'actualUGI' is the UGI of the user creating the client
// It is possible that the creator of the KMSClientProvier
// calls this method on behalf of a proxyUser (the doAsUser).
// In which case this call has to be made as the proxy user.
UserGroupInformation currentUgi = UserGroupInformation.getCurrentUser();
final String doAsUser = (currentUgi.getAuthenticationMethod() ==
UserGroupInformation.AuthenticationMethod.PROXY)
? currentUgi.getShortUserName() : null;
token = actualUgi.doAs(new PrivilegedExceptionAction<Token<?>>() {
@Override
public Token<?> run() throws Exception {
// Not using the cached token here.. Creating a new token here
// everytime.
return authUrl.getDelegationToken(url,
new DelegationTokenAuthenticatedURL.Token(), renewer, doAsUser);
}
});
if (token != null) { if (token != null) {
credentials.addToken(token.getService(), token); credentials.addToken(token.getService(), token);
tokens = new Token<?>[] { token }; tokens = new Token<?>[] { token };
} else { } else {
throw new IOException("Got NULL as delegation token"); throw new IOException("Got NULL as delegation token");
} }
} catch (AuthenticationException ex) { } catch (InterruptedException e) {
throw new IOException(ex); Thread.currentThread().interrupt();
} catch (Exception e) {
throw new IOException(e);
} }
} }
return tokens; return tokens;

7
hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java
View File

@ -284,6 +284,7 @@ public class TestKMS {
password = null; password = null;
} }
conf.set("hadoop.kms.authentication.token.validity", "1");
if (kerberos) { if (kerberos) {
conf.set("hadoop.kms.authentication.type", "kerberos"); conf.set("hadoop.kms.authentication.type", "kerberos");
conf.set("hadoop.kms.authentication.kerberos.keytab", conf.set("hadoop.kms.authentication.kerberos.keytab",
@ -337,6 +338,11 @@ public class TestKMS {
final KeyProvider kp = new KMSClientProvider(uri, conf); final KeyProvider kp = new KMSClientProvider(uri, conf);
// getKeys() empty // getKeys() empty
Assert.assertTrue(kp.getKeys().isEmpty()); Assert.assertTrue(kp.getKeys().isEmpty());
Thread.sleep(4000);
Token<?>[] tokens = ((KMSClientProvider)kp).addDelegationTokens("myuser", new Credentials());
Assert.assertEquals(1, tokens.length);
Assert.assertEquals("kms-dt", tokens[0].getKind().toString());
return null; return null;
} }
}); });
@ -346,6 +352,7 @@ public class TestKMS {
// getKeys() empty // getKeys() empty
Assert.assertTrue(kp.getKeys().isEmpty()); Assert.assertTrue(kp.getKeys().isEmpty());
Thread.sleep(4000);
Token<?>[] tokens = ((KMSClientProvider)kp).addDelegationTokens("myuser", new Credentials()); Token<?>[] tokens = ((KMSClientProvider)kp).addDelegationTokens("myuser", new Credentials());
Assert.assertEquals(1, tokens.length); Assert.assertEquals(1, tokens.length);
Assert.assertEquals("kms-dt", tokens[0].getKind().toString()); Assert.assertEquals("kms-dt", tokens[0].getKind().toString());