HADOOP-14029. Fix KMSClientProvider for non-secure proxyuser use case. Contributed by Xiaoyu Yao.
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/20343157 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/20343157 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/20343157 Branch: refs/heads/YARN-2915 Commit: 2034315763cd7b1eb77e96c719918fc14e2dabf6 Parents: 7bc333a Author: Xiaoyu Yao <x...@apache.org> Authored: Thu Jan 26 20:34:32 2017 -0800 Committer: Xiaoyu Yao <x...@apache.org> Committed: Thu Jan 26 20:34:32 2017 -0800 ---------------------------------------------------------------------- .../apache/hadoop/crypto/key/kms/KMSClientProvider.java | 11 ++++++----- .../org/apache/hadoop/crypto/key/kms/server/TestKMS.java | 6 +++++- 2 files changed, 11 insertions(+), 6 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/20343157/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java index ccc8968..4c6b625 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java @@ -1096,13 +1096,14 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension, // Use real user for proxy user actualUgi = currentUgi.getRealUser(); } - - if (!containsKmsDt(actualUgi) && + if (UserGroupInformation.isSecurityEnabled() && + !containsKmsDt(actualUgi) && !actualUgi.hasKerberosCredentials()) { - // Use login user for user that does not have either + // Use login user is only necessary when Kerberos is enabled + // but the actual user does not have either // Kerberos credential or KMS delegation token for KMS operations - LOG.debug("using loginUser no KMS Delegation Token " - + "no Kerberos Credentials"); + LOG.debug("Using loginUser when Kerberos is enabled but the actual user" + + " does not have either KMS Delegation Token or Kerberos Credentials"); actualUgi = UserGroupInformation.getLoginUser(); } return actualUgi; http://git-wip-us.apache.org/repos/asf/hadoop/blob/20343157/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java index 3a2d53c..72301db 100644 --- a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java +++ b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java @@ -2419,7 +2419,11 @@ public class TestKMS { public void doWebHDFSProxyUserTest(final boolean kerberos) throws Exception { Configuration conf = new Configuration(); - conf.set("hadoop.security.authentication", "kerberos"); + if (kerberos) { + conf.set("hadoop.security.authentication", "kerberos"); + } + UserGroupInformation.setConfiguration(conf); + final File testDir = getTestDir(); conf = createBaseKMSConf(testDir, conf); if (kerberos) { --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-commits-h...@hadoop.apache.org