[jira] [Commented] (HDFS-13972) RBF: Support for Delegation Token (WebHDFS)

Brahma Reddy Battula (JIRA) Wed, 10 Apr 2019 02:50:34 -0700


    [ 
https://issues.apache.org/jira/browse/HDFS-13972?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16814272#comment-16814272
 ]


Brahma Reddy Battula commented on HDFS-13972:
---------------------------------------------

{quote} RPC calls should _not_ be invoked on behalf of a user as the login 
user. Always use the caller's context or it's a slippery slope to privilege 
escalation.
{quote}
Yes, As [~crh] mentioned, getDatanodeReport () will be called by router ( while 
choosing the datanodes in rotuerwebhdfs).So it's not exposed to user.
{quote}{{UserGroupInformation.getCurrentUser()}} is not a cheap call. If a 
cached ugi is available that is guaranteed to always be the current ugi, I'd 
recommend using it
{quote}
Agree.

 

We can have one thread local ugi which we can set and reset while choosing the 
datanode like below and we might not require doAs(..) as it will not used

 
{code:java}
--- 
a/hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/java/org/apache/hadoop/hdfs/server/federation/router/RouterRpcServer.java
+++ 
b/hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/java/org/apache/hadoop/hdfs/server/federation/router/RouterRpcServer.java
@@ -193,6 +193,9 @@
   /** ClientProtocol calls. */
   private final RouterClientProtocol clientProto;

+  private static final ThreadLocal<UserGroupInformation> curUser
+      = new ThreadLocal<>();
+
   /**
    * Construct a router RPC server.
    *
@@ -1423,10 +1426,19 @@ private boolean isPathReadOnly(final String path) {
    * @throws IOException If we cannot get the user information.
    */
   static UserGroupInformation getRemoteUser() throws IOException {
-    UserGroupInformation ugi = Server.getRemoteUser();
+    UserGroupInformation ugi = curUser.get();
+    ugi = (ugi != null) ? ugi : Server.getRemoteUser();
     return (ugi != null) ? ugi : UserGroupInformation.getCurrentUser();
   }

+  static void setCurrentUser(UserGroupInformation ugi) {
+    curUser.set(ugi);
+  }
+
+  static void resetCurrentUser() {
+    curUser.set(null);
+  }
+
   /**
    * Merge the outputs from multiple namespaces.
    *
diff --git 
a/hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/java/org/apache/hadoop/hdfs/server/federation/router/RouterWebHdfsMethods.java
 
b/hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/java/org/apache/hadoop/hdfs/server/federation/router/RouterWebHdfsMethods.java
index a10764a8fe7..985ace1f273 100644
--- 
a/hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/java/org/apache/hadoop/hdfs/server/federation/router/RouterWebHdfsMethods.java
+++ 
b/hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/java/org/apache/hadoop/hdfs/server/federation/router/RouterWebHdfsMethods.java
@@ -552,19 +552,13 @@ private DatanodeInfo chooseDatanode(final Router router,
     // We need to get the DNs as a privileged user
     final RouterRpcServer rpcServer = getRPCServer(router);
     UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
-
-    DatanodeInfo[] dns = loginUser.doAs(
-        new PrivilegedAction<DatanodeInfo[]>() {
-          @Override
-          public DatanodeInfo[] run() {
-            try {
-              return rpcServer.getDatanodeReport(DatanodeReportType.LIVE);
-            } catch (IOException e) {
-              LOG.error("Cannot get the datanodes from the RPC server", e);
-              return null;
-            }
-          }
-        });
+    RouterRpcServer.setCurrentUser(loginUser);
+    DatanodeInfo[] dns;
+    try {
+      dns = rpcServer.getDatanodeReport(DatanodeReportType.LIVE);
+    } finally {
+      RouterRpcServer.resetCurrentUser();
+    }{code}

> RBF: Support for Delegation Token (WebHDFS)
> -------------------------------------------
>
>                 Key: HDFS-13972
>                 URL: https://issues.apache.org/jira/browse/HDFS-13972
>             Project: Hadoop HDFS
>          Issue Type: Sub-task
>            Reporter: Íñigo Goiri
>            Assignee: CR Hota
>            Priority: Major
>         Attachments: HDFS-13972-HDFS-13891.001.patch, 
> HDFS-13972-HDFS-13891.002.patch, HDFS-13972-HDFS-13891.003.patch, 
> HDFS-13972-HDFS-13891.004.patch, HDFS-13972-HDFS-13891.005.patch, 
> HDFS-13972-HDFS-13891.006.patch, HDFS-13972-HDFS-13891.007.patch, 
> HDFS-13972-HDFS-13891.008.patch, HDFS-13972-HDFS-13891.009.patch, 
> HDFS-13972-HDFS-13891.010.patch, HDFS-13972-HDFS-13891.011.patch, 
> TestRouterWebHDFSContractTokens.java
>
>
> HDFS Router should support issuing HDFS delegation tokens through WebHDFS.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

[jira] [Commented] (HDFS-13972) RBF: Support for Delegation Token (WebHDFS)

Reply via email to