HADOOP-13988. KMSClientProvider does not work with WebHDFS and Apache Knox w/ProxyUser. Contributed by Greg Senia and Xiaoyu Yao.

This commit is contained in:
Xiaoyu Yao 2017-01-25 13:26:50 -08:00
parent 7fc3e68a87
commit a46933e8ce
1 changed files with 10 additions and 7 deletions

View File

@ -1071,10 +1071,9 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension,
return dtService;
}
private boolean currentUgiContainsKmsDt() throws IOException {
// Add existing credentials from current UGI, since provider is cached.
Credentials creds = UserGroupInformation.getCurrentUser().
getCredentials();
private boolean containsKmsDt(UserGroupInformation ugi) throws IOException {
// Add existing credentials from the UGI, since provider is cached.
Credentials creds = ugi.getCredentials();
if (!creds.getAllTokens().isEmpty()) {
org.apache.hadoop.security.token.Token<? extends TokenIdentifier>
dToken = creds.getToken(getDelegationTokenService());
@ -1096,11 +1095,15 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension,
if (currentUgi.getRealUser() != null) {
// Use real user for proxy user
actualUgi = currentUgi.getRealUser();
} else if (!currentUgiContainsKmsDt() &&
!currentUgi.hasKerberosCredentials()) {
}
if (!containsKmsDt(actualUgi) &&
!actualUgi.hasKerberosCredentials()) {
// Use login user for user that does not have either
// Kerberos credential or KMS delegation token for KMS operations
actualUgi = currentUgi.getLoginUser();
LOG.debug("using loginUser no KMS Delegation Token "
+ "no Kerberos Credentials");
actualUgi = UserGroupInformation.getLoginUser();
}
return actualUgi;
}