hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Greg Senia (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HADOOP-13988) KMSClientProvider does not work with WebHDFS and Apache Knox w/ProxyUser
Date Fri, 13 Jan 2017 18:09:27 GMT
Greg Senia created HADOOP-13988:

             Summary: KMSClientProvider does not work with WebHDFS and Apache Knox w/ProxyUser
                 Key: HADOOP-13988
                 URL: https://issues.apache.org/jira/browse/HADOOP-13988
             Project: Hadoop Common
          Issue Type: Bug
          Components: common, kms
    Affects Versions: 2.7.3
         Environment: HDP 

WebHDFSUser --> Knox --> HA NameNodes(WebHDFS) --> DataNodes
            Reporter: Greg Senia

After upgrading to HDP noticed that all of the KMSClientProvider issues have not been
resolved. We put a test build together and applied HADOOP-13558 and HADOOP-13749 these two
fixes did still not solve the issue with requests coming from WebHDFS through to Knox to a
TDE zone.

So we added some debug to our build and determined effectively what is happening here is a
double proxy situation which does not seem to work. So we propose the following fix in getActualUgi

     // Use current user by default
     UserGroupInformation actualUgi = currentUgi;
     if (currentUgi.getRealUser() != null) {
       // Use real user for proxy user
       if (LOG.isDebugEnabled()) {
	   LOG.debug("using RealUser for proxyUser);
       actualUgi = currentUgi.getRealUser();
       if (getDoAsUser() != null) {
      	  if (LOG.isDebugEnabled()) {
		LOG.debug("doAsUser exists");
		LOG.debug("currentUGI realUser shortName: {}", currentUgi.getRealUser().getShortUserName());
		LOG.debug("processUGI loginUser shortName: {}", UserGroupInformation.getLoginUser().getShortUserName());
    	  if (currentUgi.getRealUser().getShortUserName() != UserGroupInformation.getLoginUser().getShortUserName())
    		  if (LOG.isDebugEnabled()) {
		  	LOG.debug("currentUGI.realUser does not match UGI.processUser);
		  actualUgi = UserGroupInformation.getLoginUser();
		  if (LOG.isDebugEnabled()) {
	    	  	LOG.debug("LoginUser for Proxy: {}", actualUgi.getLoginUser());
     } else if (!currentUgiContainsKmsDt() &&
         !currentUgi.hasKerberosCredentials()) {
       // Use login user for user that does not have either
       // Kerberos credential or KMS delegation token for KMS operations
       if (LOG.isDebugEnabled()) {
	   LOG.debug("using loginUser no KMS Delegation Token no Kerberos Credentials");
       actualUgi = currentUgi.getLoginUser();
     return actualUgi;

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-dev-help@hadoop.apache.org

View raw message