Apache
/
hadoop
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

HADOOP-14029. Fix KMSClientProvider for non-secure proxyuser use case. Contributed by Xiaoyu Yao. 

(cherry picked from commit 2034315763)
This commit is contained in:
Xiaoyu Yao 2017-01-26 20:34:32 -08:00
parent 17d4ba26fc
commit 6b602c6e34
2 changed files with 11 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
View File

@ -1063,13 +1063,14 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension,
// Use real user for proxy user // Use real user for proxy user
actualUgi = currentUgi.getRealUser(); actualUgi = currentUgi.getRealUser();
} }
if (UserGroupInformation.isSecurityEnabled() &&
if (!containsKmsDt(actualUgi) && !containsKmsDt(actualUgi) &&
!actualUgi.hasKerberosCredentials()) { !actualUgi.hasKerberosCredentials()) {
// Use login user for user that does not have either // Use login user is only necessary when Kerberos is enabled
// but the actual user does not have either
// Kerberos credential or KMS delegation token for KMS operations // Kerberos credential or KMS delegation token for KMS operations
LOG.debug("using loginUser no KMS Delegation Token " LOG.debug("Using loginUser when Kerberos is enabled but the actual user" +
+ "no Kerberos Credentials"); " does not have either KMS Delegation Token or Kerberos Credentials");
actualUgi = UserGroupInformation.getLoginUser(); actualUgi = UserGroupInformation.getLoginUser();
} }
return actualUgi; return actualUgi;

6
hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java
View File

@ -2284,7 +2284,11 @@ public class TestKMS {
public void doWebHDFSProxyUserTest(final boolean kerberos) throws Exception { public void doWebHDFSProxyUserTest(final boolean kerberos) throws Exception {
Configuration conf = new Configuration(); Configuration conf = new Configuration();
conf.set("hadoop.security.authentication", "kerberos"); if (kerberos) {
conf.set("hadoop.security.authentication", "kerberos");
}
UserGroupInformation.setConfiguration(conf);
final File testDir = getTestDir(); final File testDir = getTestDir();
conf = createBaseKMSConf(testDir, conf); conf = createBaseKMSConf(testDir, conf);
if (kerberos) { if (kerberos) {