hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Xiaoyu Yao (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (HADOOP-13988) KMSClientProvider does not work with WebHDFS and Apache Knox w/ProxyUser
Date Thu, 26 Jan 2017 23:32:24 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-13988?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15840657#comment-15840657
] 

Xiaoyu Yao edited comment on HADOOP-13988 at 1/26/17 11:31 PM:
---------------------------------------------------------------

[~gss2002], the unit test failure is different seems different. [~xiaochen], it is caused
by the proxy user in non-secure case. 
We will need to check if security is enabled before using login user for the proxy user as
below. 

{code}
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
@@ -1097,7 +1097,8 @@ private UserGroupInformation getActualUgi() throws IOException {
       actualUgi = currentUgi.getRealUser();
     }
 
-    if (!containsKmsDt(actualUgi) &&
+    if (UserGroupInformation.isSecurityEnabled() &&
+        !containsKmsDt(actualUgi) &&
         !actualUgi.hasKerberosCredentials()) {
       // Use login user for user that does not have either
       // Kerberos credential or KMS delegation token for KMS operations
{code}


was (Author: xyao):
[~gss2002], the unit test failure is different seems different. [~xiaochen], it is caused
by the proxy user in non-secure case. 
We will need to check if security is enabled before using login user for the proxy user as
below. 

{code}
++>    if (UserGroupInformation.isSecurityEnabled() &&
        !containsKmsDt(actualUgi) &&
        !actualUgi.hasKerberosCredentials()) {
      // Use login user for user that does not have either
      // Kerberos credential or KMS delegation token for KMS operations
      LOG.debug("using loginUser no KMS Delegation Token "
          + "no Kerberos Credentials");
      actualUgi = UserGroupInformation.getLoginUser();
    }
{code}

> KMSClientProvider does not work with WebHDFS and Apache Knox w/ProxyUser
> ------------------------------------------------------------------------
>
>                 Key: HADOOP-13988
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13988
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: common, kms
>    Affects Versions: 2.8.0, 2.7.3
>         Environment: HDP 2.5.3.0 
> WebHDFSUser --> Knox --> HA NameNodes(WebHDFS) --> DataNodes
>            Reporter: Greg Senia
>            Assignee: Xiaoyu Yao
>             Fix For: 2.9.0, 3.0.0-alpha3
>
>         Attachments: HADOOP-13988.01.patch, HADOOP-13988.02.patch, HADOOP-13988.patch,
HADOOP-13988.patch
>
>
> After upgrading to HDP 2.5.3.0 noticed that all of the KMSClientProvider issues have
not been resolved. We put a test build together and applied HADOOP-13558 and HADOOP-13749
these two fixes did still not solve the issue with requests coming from WebHDFS through to
Knox to a TDE zone.
> So we added some debug to our build and determined effectively what is happening here
is a double proxy situation which does not seem to work. So we propose the following fix in
getActualUgi Method:
> {noformat}
>      }
>      // Use current user by default
>      UserGroupInformation actualUgi = currentUgi;
>      if (currentUgi.getRealUser() != null) {
>        // Use real user for proxy user
>        if (LOG.isDebugEnabled()) {
> 	   LOG.debug("using RealUser for proxyUser);
> 	}
>        actualUgi = currentUgi.getRealUser();
>        if (getDoAsUser() != null) {
>       	  if (LOG.isDebugEnabled()) {
> 		LOG.debug("doAsUser exists");
> 		LOG.debug("currentUGI realUser shortName: {}", currentUgi.getRealUser().getShortUserName());
> 		LOG.debug("processUGI loginUser shortName: {}", UserGroupInformation.getLoginUser().getShortUserName());
>           }
>     	  if (currentUgi.getRealUser().getShortUserName() != UserGroupInformation.getLoginUser().getShortUserName())
{
>     		  if (LOG.isDebugEnabled()) {
> 		  	LOG.debug("currentUGI.realUser does not match UGI.processUser);
> 		  }
> 		  actualUgi = UserGroupInformation.getLoginUser();
> 		  if (LOG.isDebugEnabled()) {
> 	    	  	LOG.debug("LoginUser for Proxy: {}", actualUgi.getLoginUser());
> 		  }
>      	  }
>        }
> 	
>      } else if (!currentUgiContainsKmsDt() &&
>          !currentUgi.hasKerberosCredentials()) {
>        // Use login user for user that does not have either
>        // Kerberos credential or KMS delegation token for KMS operations
>        if (LOG.isDebugEnabled()) {
> 	   LOG.debug("using loginUser no KMS Delegation Token no Kerberos Credentials");
> 	}
>        actualUgi = currentUgi.getLoginUser();
>      }
>      return actualUgi;
>    }
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message