Home Explore Help
Register Sign In
apache
/
hadoop
mirror of https://github.com/apache/hadoop.git
2
0
Fork 1
Files Issues 0 Wiki
Browse Source

HADOOP-13749. KMSClientProvider combined with KeyProviderCache can result in wrong UGI being used. Contributed by Xiaoyu Yao.

Xiaoyu Yao 8 years ago
parent
da901b6c14
commit
d0a347984d
3 changed files with 42 additions and 26 deletions
Unified View Show Diff Stats
  1. 26 26
      hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
  2. 14 0
      hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
  3. 2 0
      hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java

+ 26 - 26
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
View File 

@@ -373,7 +373,6 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension,
 
   private ConnectionConfigurator configurator;
 
   private ConnectionConfigurator configurator;
 
   private DelegationTokenAuthenticatedURL.Token authToken;
 
   private DelegationTokenAuthenticatedURL.Token authToken;
 
   private final int authRetry;
 
   private final int authRetry;
 
-  private final UserGroupInformation actualUgi;
 
 
 
   @Override
 
   @Override
 
   public String toString() {
 
   public String toString() {
 
@@ -455,15 +454,6 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension,
 
                     KMS_CLIENT_ENC_KEY_CACHE_NUM_REFILL_THREADS_DEFAULT),
 
                     KMS_CLIENT_ENC_KEY_CACHE_NUM_REFILL_THREADS_DEFAULT),
 
             new EncryptedQueueRefiller());
 
             new EncryptedQueueRefiller());
 
     authToken = new DelegationTokenAuthenticatedURL.Token();
 
     authToken = new DelegationTokenAuthenticatedURL.Token();
 
-    UserGroupInformation.AuthenticationMethod authMethod =
 
-        UserGroupInformation.getCurrentUser().getAuthenticationMethod();
 
-    if (authMethod == UserGroupInformation.AuthenticationMethod.PROXY) {
 
-      actualUgi = UserGroupInformation.getCurrentUser().getRealUser();
 
-    } else if (authMethod == UserGroupInformation.AuthenticationMethod.TOKEN) {
 
-      actualUgi = UserGroupInformation.getLoginUser();
 
-    } else {
 
-      actualUgi =UserGroupInformation.getCurrentUser();
 
-    }
 
   }
 
   }
 
 
 
   private static Path extractKMSPath(URI uri) throws MalformedURLException, IOException {
 
   private static Path extractKMSPath(URI uri) throws MalformedURLException, IOException {
 
@@ -530,19 +520,9 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension,
 
       throws IOException {
 
       throws IOException {
 
     HttpURLConnection conn;
 
     HttpURLConnection conn;
 
     try {
 
     try {
 
-      // if current UGI is different from UGI at constructor time, behave as
 
-      // proxyuser
 
-      UserGroupInformation currentUgi = UserGroupInformation.getCurrentUser();
 
-      final String doAsUser = (currentUgi.getAuthenticationMethod() ==
 
-          UserGroupInformation.AuthenticationMethod.PROXY)
 
-                              ? currentUgi.getShortUserName() : null;
 
-
 
-      // If current UGI contains kms-dt && is not proxy, doAs it to use its dt.
 
-      // Otherwise, create the HTTP connection using the UGI at constructor time
 
-      UserGroupInformation ugiToUse =
 
-          (currentUgiContainsKmsDt() && doAsUser == null) ?
 
-              currentUgi : actualUgi;
 
-      conn = ugiToUse.doAs(new PrivilegedExceptionAction<HttpURLConnection>() {
 
+      final String doAsUser = getDoAsUser();
 
+      conn = getActualUgi().doAs(new PrivilegedExceptionAction
 
+          <HttpURLConnection>() {
 
         @Override
 
         @Override
 
         public HttpURLConnection run() throws Exception {
 
         public HttpURLConnection run() throws Exception {
 
           DelegationTokenAuthenticatedURL authUrl =
 
           DelegationTokenAuthenticatedURL authUrl =
 
@@ -919,7 +899,7 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension,
 
           token, url, doAsUser);
 
           token, url, doAsUser);
 
       final DelegationTokenAuthenticatedURL authUrl =
 
       final DelegationTokenAuthenticatedURL authUrl =
 
           new DelegationTokenAuthenticatedURL(configurator);
 
           new DelegationTokenAuthenticatedURL(configurator);
 
-      return actualUgi.doAs(
 
+      return getActualUgi().doAs(
 
           new PrivilegedExceptionAction<Long>() {
 
           new PrivilegedExceptionAction<Long>() {
 
             @Override
 
             @Override
 
             public Long run() throws Exception {
 
             public Long run() throws Exception {
 
@@ -942,7 +922,7 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension,
 
       final String doAsUser = getDoAsUser();
 
       final String doAsUser = getDoAsUser();
 
       final DelegationTokenAuthenticatedURL.Token token =
 
       final DelegationTokenAuthenticatedURL.Token token =
 
           generateDelegationToken(dToken);
 
           generateDelegationToken(dToken);
 
-      return actualUgi.doAs(
 
+      return getActualUgi().doAs(
 
           new PrivilegedExceptionAction<Void>() {
 
           new PrivilegedExceptionAction<Void>() {
 
             @Override
 
             @Override
 
             public Void run() throws Exception {
 
             public Void run() throws Exception {
 
@@ -1014,7 +994,7 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension,
 
           new DelegationTokenAuthenticatedURL(configurator);
 
           new DelegationTokenAuthenticatedURL(configurator);
 
       try {
 
       try {
 
         final String doAsUser = getDoAsUser();
 
         final String doAsUser = getDoAsUser();
 
-        token = actualUgi.doAs(new PrivilegedExceptionAction<Token<?>>() {
 
+        token = getActualUgi().doAs(new PrivilegedExceptionAction<Token<?>>() {
 
           @Override
 
           @Override
 
           public Token<?> run() throws Exception {
 
           public Token<?> run() throws Exception {
 
             // Not using the cached token here.. Creating a new token here
 
             // Not using the cached token here.. Creating a new token here
 
@@ -1060,6 +1040,26 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension,
 
     return false;
 
     return false;
 
   }
 
   }
 
 
 
+  private UserGroupInformation getActualUgi() throws IOException {
 
+    final UserGroupInformation currentUgi = UserGroupInformation
 
+        .getCurrentUser();
 
+    if (LOG.isDebugEnabled()) {
 
+      UserGroupInformation.logAllUserInfo(currentUgi);
 
+    }
 
+    // Use current user by default
 
+    UserGroupInformation actualUgi = currentUgi;
 
+    if (currentUgi.getRealUser() != null) {
 
+      // Use real user for proxy user
 
+      actualUgi = currentUgi.getRealUser();
 
+    } else if (!currentUgiContainsKmsDt() &&
 
+        !currentUgi.hasKerberosCredentials()) {
 
+      // Use login user for user that does not have either
 
+      // Kerberos credential or KMS delegation token for KMS operations
 
+      actualUgi = currentUgi.getLoginUser();
 
+    }
 
+    return actualUgi;
 
+  }
 
+
 
   /**
 
   /**
 
    * Shutdown valueQueue executor threads
 
    * Shutdown valueQueue executor threads
 
    */
 
    */

+ 14 - 0
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
View File 

@@ -1823,6 +1823,20 @@ public class UserGroupInformation {
 
     }
 
     }
 
   }
 
   }
 
 
 
+  public static void logAllUserInfo(UserGroupInformation ugi) throws
 
+      IOException {
 
+    if (LOG.isDebugEnabled()) {
 
+      LOG.debug("UGI: " + ugi);
 
+      if (ugi.getRealUser() != null) {
 
+        LOG.debug("+RealUGI: " + ugi.getRealUser());
 
+      }
 
+      LOG.debug("+LoginUGI: " + ugi.getLoginUser());
 
+      for (Token<?> token : ugi.getTokens()) {
 
+        LOG.debug("+UGI token:" + token);
 
+      }
 
+    }
 
+  }
 
+
 
   private void print() throws IOException {
 
   private void print() throws IOException {
 
     System.out.println("User: " + getUserName());
 
     System.out.println("User: " + getUserName());
 
     System.out.print("Group Ids: ");
 
     System.out.print("Group Ids: ");

+ 2 - 0
hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java
View File 

@@ -1833,6 +1833,7 @@ public class TestKMS {
 
             } else {
 
             } else {
 
               otherUgi = UserGroupInformation.createUserForTesting("client1",
 
               otherUgi = UserGroupInformation.createUserForTesting("client1",
 
                   new String[] {"other group"});
 
                   new String[] {"other group"});
 
+              UserGroupInformation.setLoginUser(otherUgi);
 
             }
 
             }
 
             try {
 
             try {
 
               // test delegation token renewal via renewer
 
               // test delegation token renewal via renewer
 
@@ -2153,6 +2154,7 @@ public class TestKMS {
 
               loginUserFromKeytabAndReturnUGI("client", keytab.getAbsolutePath());
 
               loginUserFromKeytabAndReturnUGI("client", keytab.getAbsolutePath());
 
         } else {
 
         } else {
 
           proxyUgi = UserGroupInformation.createRemoteUser("client");
 
           proxyUgi = UserGroupInformation.createRemoteUser("client");
 
+          UserGroupInformation.setLoginUser(proxyUgi);
 
         }
 
         }
 
 
 
         final UserGroupInformation clientUgi = proxyUgi; 
         final UserGroupInformation clientUgi = proxyUgi;