[ https://issues.apache.org/jira/browse/HDFS-13972?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16814272#comment-16814272 ]
Brahma Reddy Battula commented on HDFS-13972: --------------------------------------------- {quote} RPC calls should _not_ be invoked on behalf of a user as the login user. Always use the caller's context or it's a slippery slope to privilege escalation. {quote} Yes, As [~crh] mentioned, getDatanodeReport () will be called by router ( while choosing the datanodes in rotuerwebhdfs).So it's not exposed to user. {quote}{{UserGroupInformation.getCurrentUser()}} is not a cheap call. If a cached ugi is available that is guaranteed to always be the current ugi, I'd recommend using it {quote} Agree. We can have one thread local ugi which we can set and reset while choosing the datanode like below and we might not require doAs(..) as it will not used {code:java} --- a/hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/java/org/apache/hadoop/hdfs/server/federation/router/RouterRpcServer.java +++ b/hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/java/org/apache/hadoop/hdfs/server/federation/router/RouterRpcServer.java @@ -193,6 +193,9 @@ /** ClientProtocol calls. */ private final RouterClientProtocol clientProto; + private static final ThreadLocal<UserGroupInformation> curUser + = new ThreadLocal<>(); + /** * Construct a router RPC server. * @@ -1423,10 +1426,19 @@ private boolean isPathReadOnly(final String path) { * @throws IOException If we cannot get the user information. */ static UserGroupInformation getRemoteUser() throws IOException { - UserGroupInformation ugi = Server.getRemoteUser(); + UserGroupInformation ugi = curUser.get(); + ugi = (ugi != null) ? ugi : Server.getRemoteUser(); return (ugi != null) ? ugi : UserGroupInformation.getCurrentUser(); } + static void setCurrentUser(UserGroupInformation ugi) { + curUser.set(ugi); + } + + static void resetCurrentUser() { + curUser.set(null); + } + /** * Merge the outputs from multiple namespaces. * diff --git a/hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/java/org/apache/hadoop/hdfs/server/federation/router/RouterWebHdfsMethods.java b/hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/java/org/apache/hadoop/hdfs/server/federation/router/RouterWebHdfsMethods.java index a10764a8fe7..985ace1f273 100644 --- a/hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/java/org/apache/hadoop/hdfs/server/federation/router/RouterWebHdfsMethods.java +++ b/hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/java/org/apache/hadoop/hdfs/server/federation/router/RouterWebHdfsMethods.java @@ -552,19 +552,13 @@ private DatanodeInfo chooseDatanode(final Router router, // We need to get the DNs as a privileged user final RouterRpcServer rpcServer = getRPCServer(router); UserGroupInformation loginUser = UserGroupInformation.getLoginUser(); - - DatanodeInfo[] dns = loginUser.doAs( - new PrivilegedAction<DatanodeInfo[]>() { - @Override - public DatanodeInfo[] run() { - try { - return rpcServer.getDatanodeReport(DatanodeReportType.LIVE); - } catch (IOException e) { - LOG.error("Cannot get the datanodes from the RPC server", e); - return null; - } - } - }); + RouterRpcServer.setCurrentUser(loginUser); + DatanodeInfo[] dns; + try { + dns = rpcServer.getDatanodeReport(DatanodeReportType.LIVE); + } finally { + RouterRpcServer.resetCurrentUser(); + }{code} > RBF: Support for Delegation Token (WebHDFS) > ------------------------------------------- > > Key: HDFS-13972 > URL: https://issues.apache.org/jira/browse/HDFS-13972 > Project: Hadoop HDFS > Issue Type: Sub-task > Reporter: Íñigo Goiri > Assignee: CR Hota > Priority: Major > Attachments: HDFS-13972-HDFS-13891.001.patch, > HDFS-13972-HDFS-13891.002.patch, HDFS-13972-HDFS-13891.003.patch, > HDFS-13972-HDFS-13891.004.patch, HDFS-13972-HDFS-13891.005.patch, > HDFS-13972-HDFS-13891.006.patch, HDFS-13972-HDFS-13891.007.patch, > HDFS-13972-HDFS-13891.008.patch, HDFS-13972-HDFS-13891.009.patch, > HDFS-13972-HDFS-13891.010.patch, HDFS-13972-HDFS-13891.011.patch, > TestRouterWebHDFSContractTokens.java > > > HDFS Router should support issuing HDFS delegation tokens through WebHDFS. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org