Return-Path: <common-commits-return-60778-archive-asf-public=cust-asf.ponee.io@hadoop.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 78EDC200C09
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Wed, 25 Jan 2017 22:34:24 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id 77687160B4E; Wed, 25 Jan 2017 21:34:24 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id C49D2160B3D
	for <archive-asf-public@cust-asf.ponee.io>; Wed, 25 Jan 2017 22:34:23 +0100 (CET)
Received: (qmail 98850 invoked by uid 500); 25 Jan 2017 21:34:18 -0000
Mailing-List: contact common-commits-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:common-commits-help@hadoop.apache.org>
List-Unsubscribe: <mailto:common-commits-unsubscribe@hadoop.apache.org>
List-Post: <mailto:common-commits@hadoop.apache.org>
List-Id: <common-commits.hadoop.apache.org>
Delivered-To: mailing list common-commits@hadoop.apache.org
Received: (qmail 98841 invoked by uid 99); 25 Jan 2017 21:34:17 -0000
Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 25 Jan 2017 21:34:17 +0000
Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33)
	id C0AA2DFA69; Wed, 25 Jan 2017 21:34:17 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: xyao@apache.org
To: common-commits@hadoop.apache.org
Message-Id: <23d25a51b40140b9a2780d9976fca8bb@git.apache.org>
X-Mailer: ASF-Git Admin Mailer
Subject: hadoop git commit: HADOOP-13988. KMSClientProvider does not work with
 WebHDFS and Apache Knox w/ProxyUser. Contributed by Greg Senia and Xiaoyu
 Yao.
Date: Wed, 25 Jan 2017 21:34:17 +0000 (UTC)
archived-at: Wed, 25 Jan 2017 21:34:24 -0000

Repository: hadoop
Updated Branches:
  refs/heads/trunk 7fc3e68a8 -> a46933e8c


HADOOP-13988. KMSClientProvider does not work with WebHDFS and Apache Knox w/ProxyUser. Contributed by Greg Senia and Xiaoyu Yao.


Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/a46933e8
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/a46933e8
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/a46933e8

Branch: refs/heads/trunk
Commit: a46933e8ce4c1715c11e3e3283bf0e8c2b53b837
Parents: 7fc3e68
Author: Xiaoyu Yao <xyao@apache.org>
Authored: Wed Jan 25 13:26:50 2017 -0800
Committer: Xiaoyu Yao <xyao@apache.org>
Committed: Wed Jan 25 13:33:06 2017 -0800

----------------------------------------------------------------------
 .../hadoop/crypto/key/kms/KMSClientProvider.java   | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hadoop/blob/a46933e8/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
index df6768d..ccc8968 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
@@ -1071,10 +1071,9 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension,
     return dtService;
   }
 
-  private boolean currentUgiContainsKmsDt() throws IOException {
-    // Add existing credentials from current UGI, since provider is cached.
-    Credentials creds = UserGroupInformation.getCurrentUser().
-        getCredentials();
+  private boolean containsKmsDt(UserGroupInformation ugi) throws IOException {
+    // Add existing credentials from the UGI, since provider is cached.
+    Credentials creds = ugi.getCredentials();
     if (!creds.getAllTokens().isEmpty()) {
       org.apache.hadoop.security.token.Token<? extends TokenIdentifier>
           dToken = creds.getToken(getDelegationTokenService());
@@ -1096,11 +1095,15 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension,
     if (currentUgi.getRealUser() != null) {
       // Use real user for proxy user
       actualUgi = currentUgi.getRealUser();
-    } else if (!currentUgiContainsKmsDt() &&
-        !currentUgi.hasKerberosCredentials()) {
+    }
+
+    if (!containsKmsDt(actualUgi) &&
+        !actualUgi.hasKerberosCredentials()) {
       // Use login user for user that does not have either
       // Kerberos credential or KMS delegation token for KMS operations
-      actualUgi = currentUgi.getLoginUser();
+      LOG.debug("using loginUser no KMS Delegation Token "
+          + "no Kerberos Credentials");
+      actualUgi = UserGroupInformation.getLoginUser();
     }
     return actualUgi;
   }


---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org