OOZIE-2697 UGI calls for secure/non-secure clusters (temporary - needs review)
Change-Id: I0109d1e0d9ef7c17b43810f6f345a612e996591e Project: http://git-wip-us.apache.org/repos/asf/oozie/repo Commit: http://git-wip-us.apache.org/repos/asf/oozie/commit/3a8f00fa Tree: http://git-wip-us.apache.org/repos/asf/oozie/tree/3a8f00fa Diff: http://git-wip-us.apache.org/repos/asf/oozie/diff/3a8f00fa Branch: refs/heads/oya Commit: 3a8f00fa48862c393d12f1506b7cd69a4ad30d42 Parents: 8d2b49d Author: Peter Bacsko <pbac...@cloudera.com> Authored: Fri Sep 30 17:26:27 2016 +0200 Committer: Peter Bacsko <pbac...@cloudera.com> Committed: Fri Sep 30 17:26:27 2016 +0200 ---------------------------------------------------------------------- .../apache/oozie/action/hadoop/LauncherAM.java | 31 +++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/oozie/blob/3a8f00fa/sharelib/oozie/src/main/java/org/apache/oozie/action/hadoop/LauncherAM.java ---------------------------------------------------------------------- diff --git a/sharelib/oozie/src/main/java/org/apache/oozie/action/hadoop/LauncherAM.java b/sharelib/oozie/src/main/java/org/apache/oozie/action/hadoop/LauncherAM.java index c923dda..0570d16 100644 --- a/sharelib/oozie/src/main/java/org/apache/oozie/action/hadoop/LauncherAM.java +++ b/sharelib/oozie/src/main/java/org/apache/oozie/action/hadoop/LauncherAM.java @@ -40,7 +40,13 @@ import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.fs.Path; import org.apache.hadoop.io.SequenceFile; import org.apache.hadoop.io.Text; +import org.apache.hadoop.security.Credentials; import org.apache.hadoop.security.UserGroupInformation; +import org.apache.hadoop.security.SaslRpcServer.AuthMethod; +import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod; +import org.apache.hadoop.security.token.Token; +import org.apache.hadoop.security.token.TokenIdentifier; +import org.apache.hadoop.yarn.api.ApplicationConstants; import org.apache.hadoop.yarn.api.records.Container; import org.apache.hadoop.yarn.api.records.ContainerStatus; import org.apache.hadoop.yarn.api.records.FinalApplicationStatus; @@ -131,7 +137,30 @@ public class LauncherAM { String submitterUser = System.getProperty("submitter.user", "").trim(); Preconditions.checkArgument(!submitterUser.isEmpty(), "Submitter user is undefined"); System.out.println("Submitter user is: " + submitterUser); - UserGroupInformation ugi = UserGroupInformation.createRemoteUser(submitterUser); + + String jobUserName = System.getenv(ApplicationConstants.Environment.USER.name()); + + // DEBUG - will be removed + UserGroupInformation login = UserGroupInformation.getLoginUser(); + System.out.println("Login: " + login.getUserName()); + System.out.println("SecurityEnabled:" + UserGroupInformation.isSecurityEnabled()); + System.out.println("Login keytab based:" + UserGroupInformation.isLoginKeytabBased()); + System.out.println("Login ticket based:" + UserGroupInformation.isLoginTicketBased()); + System.out.println("Login from keytab: " + login.isFromKeytab()); + System.out.println("Login has kerberos credentials: " + login.hasKerberosCredentials()); + System.out.println("Login authMethod: " + login.getAuthenticationMethod()); + System.out.println("JobUserName:" + jobUserName); + + UserGroupInformation ugi = null; + + if (UserGroupInformation.getLoginUser().getShortUserName().equals(submitterUser)) { + System.out.println("Using login user for UGI"); + ugi = UserGroupInformation.getLoginUser(); + } else { + ugi = UserGroupInformation.createRemoteUser(submitterUser); + ugi.addCredentials(UserGroupInformation.getLoginUser().getCredentials()); + } + boolean backgroundAction = false; try {