YARN-6332. Make RegistrySecurity use short user names for ZK ACLs. Contributed by Billie Rinaldi

2017-03-16 12:59:55 +08:00 · 2017-03-16 12:59:55 +08:00 · 9f9ccb2784
parent 8b31ff6dba
commit 9f9ccb2784
1 changed files with 10 additions and 2 deletions
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/main/java/org/apache/hadoop/registry/client/impl/zk/RegistrySecurity.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/main/java/org/apache/hadoop/registry/client/impl/zk/RegistrySecurity.java
@ -152,6 +152,8 @@ public class RegistrySecurity extends AbstractService {
   */
  private final List<ACL> systemACLs = new ArrayList<ACL>();

+  private boolean usesRealm = true;
+
  /**
   * A list of digest ACLs which can be added to permissions
   * —and cleared later.
@ -230,6 +232,7 @@ public class RegistrySecurity extends AbstractService {
      // System Accounts
      String system = getOrFail(KEY_REGISTRY_SYSTEM_ACCOUNTS,
                                DEFAULT_REGISTRY_SYSTEM_ACCOUNTS);
+      usesRealm = system.contains("@");

      systemACLs.addAll(buildACLs(system, kerberosRealm, ZooDefs.Perms.ALL));

@ -393,7 +396,12 @@ public class RegistrySecurity extends AbstractService {
   * @return a new ACL
   */
  public ACL createSaslACL(UserGroupInformation ugi, int perms) {
-    String userName = ugi.getUserName();
+    String userName = null;
+    if (usesRealm) {
+      userName = ugi.getUserName();
+    } else {
+      userName = ugi.getShortUserName();
+    }
    return new ACL(perms, new Id(SCHEME_SASL, userName));
  }

@ -946,7 +954,7 @@ public class RegistrySecurity extends AbstractService {
   * @return an ACL for the user
   */
  public ACL createACLfromUsername(String username, int perms) {
-    if (!username.contains("@")) {
+    if (usesRealm && !username.contains("@")) {
      username = username + "@" + kerberosRealm;
      if (LOG.isDebugEnabled()) {
        LOG.debug("Appending kerberos realm to make {}", username);