HADOOP-14351. Azure: RemoteWasbAuthorizerImpl and RemoteSASKeyGeneratorImpl should not use Kerberos interactive user cache. Contributed by Santhosh G Nayak

hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azure/NativeAzureFileSystem.java

@@ -2987,9 +2987,6 @@ public class NativeAzureFileSystem extends FileSystem {
         if (connectUgi == null) {
           connectUgi = ugi;
         }
-        if (!connectUgi.hasKerberosCredentials()) {
-          connectUgi = UserGroupInformation.getLoginUser();
-        }
         connectUgi.checkTGTAndReloginFromKeytab();
         return connectUgi.doAs(new PrivilegedExceptionAction<Token<?>>() {
           @Override

hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azure/RemoteSASKeyGeneratorImpl.java

@@ -97,7 +97,7 @@ public class RemoteSASKeyGeneratorImpl extends SASKeyGeneratorImpl {
   private static final String RELATIVE_PATH_QUERY_PARAM_NAME =
       "relative_path";
 
-  private String delegationToken = "";
+  private String delegationToken;
   private String credServiceUrl = "";
   private WasbRemoteCallHelper remoteCallHelper = null;
   private boolean isSecurityEnabled;
@@ -110,14 +110,7 @@ public class RemoteSASKeyGeneratorImpl extends SASKeyGeneratorImpl {
   public void initialize(Configuration conf) throws IOException {
 
     LOG.debug("Initializing RemoteSASKeyGeneratorImpl instance");
-    try {
-      delegationToken = SecurityUtils.getDelegationTokenFromCredentials();
-    } catch (IOException e) {
-      final String msg = "Error in fetching the WASB delegation token";
-      LOG.error(msg, e);
-      throw new IOException(msg, e);
-    }
-
+    setDelegationToken();
     try {
       credServiceUrl = SecurityUtils.getCredServiceUrls(conf);
     } catch (UnknownHostException e) {
@@ -146,6 +139,7 @@ public class RemoteSASKeyGeneratorImpl extends SASKeyGeneratorImpl {
     try {
       LOG.debug("Generating Container SAS Key for Container {} "
           + "inside Storage Account {} ", container, storageAccount);
+      setDelegationToken();
       URIBuilder uriBuilder = new URIBuilder(credServiceUrl);
       uriBuilder.setPath("/" + CONTAINER_SAS_OP);
       uriBuilder.addParameter(STORAGE_ACCOUNT_QUERY_PARAM_NAME,
@@ -166,10 +160,6 @@ public class RemoteSASKeyGeneratorImpl extends SASKeyGeneratorImpl {
       } else {
         uriBuilder.addParameter(Constants.DOAS_PARAM, ugi.getShortUserName());
       }
-
-      if (isSecurityEnabled && !connectUgi.hasKerberosCredentials()) {
-        connectUgi = UserGroupInformation.getLoginUser();
-      }
       return getSASKey(uriBuilder.build(), connectUgi);
     } catch (URISyntaxException uriSyntaxEx) {
       throw new SASKeyGenerationException("Encountered URISyntaxException "
@@ -188,6 +178,7 @@ public class RemoteSASKeyGeneratorImpl extends SASKeyGeneratorImpl {
       LOG.debug("Generating RelativePath SAS Key for relativePath {} inside"
               + " Container {} inside Storage Account {} ",
           relativePath, container, storageAccount);
+      setDelegationToken();
       URIBuilder uriBuilder = new URIBuilder(credServiceUrl);
       uriBuilder.setPath("/" + BLOB_SAS_OP);
       uriBuilder.addParameter(STORAGE_ACCOUNT_QUERY_PARAM_NAME,
@@ -212,10 +203,6 @@ public class RemoteSASKeyGeneratorImpl extends SASKeyGeneratorImpl {
       } else {
         uriBuilder.addParameter(Constants.DOAS_PARAM, ugi.getShortUserName());
       }
-
-      if (isSecurityEnabled && !connectUgi.hasKerberosCredentials()) {
-        connectUgi = UserGroupInformation.getLoginUser();
-      }
       return getSASKey(uriBuilder.build(), connectUgi);
     } catch (URISyntaxException uriSyntaxEx) {
       throw new SASKeyGenerationException("Encountered URISyntaxException"
@@ -231,7 +218,6 @@ public class RemoteSASKeyGeneratorImpl extends SASKeyGeneratorImpl {
       throws URISyntaxException, SASKeyGenerationException {
     final RemoteSASKeyGenerationResponse sasKeyResponse;
     try {
-      connectUgi.checkTGTAndReloginFromKeytab();
       sasKeyResponse = connectUgi.doAs(
           new PrivilegedExceptionAction<RemoteSASKeyGenerationResponse>() {
             @Override
@@ -311,6 +297,10 @@ public class RemoteSASKeyGeneratorImpl extends SASKeyGeneratorImpl {
           + "accessing remote service to retrieve SAS Key", ioEx);
     }
   }
+
+  private void setDelegationToken() throws IOException {
+    this.delegationToken = SecurityUtils.getDelegationTokenFromCredentials();
+  }
 }
 
 /**

hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azure/RemoteWasbAuthorizerImpl.java

@@ -31,8 +31,6 @@ import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
 import org.apache.hadoop.security.authentication.client.AuthenticationException;
 import org.apache.hadoop.security.authentication.client.Authenticator;
-import org.apache.hadoop.security.token.Token;
-import org.apache.hadoop.security.token.TokenIdentifier;
 import org.apache.hadoop.security.token.delegation.web.KerberosDelegationTokenAuthenticator;
 import org.apache.http.client.methods.HttpGet;
 import org.apache.http.client.utils.URIBuilder;
@@ -42,7 +40,6 @@ import org.slf4j.LoggerFactory;
 import java.io.IOException;
 import java.net.URISyntaxException;
 import java.security.PrivilegedExceptionAction;
-import java.util.Iterator;
 
 import static org.apache.hadoop.fs.azure.WasbRemoteCallHelper.REMOTE_CALL_SUCCESS_CODE;
 
@@ -104,15 +101,7 @@ public class RemoteWasbAuthorizerImpl implements WasbAuthorizerInterface {
   public void init(Configuration conf)
       throws WasbAuthorizationException, IOException {
     LOG.debug("Initializing RemoteWasbAuthorizerImpl instance");
-    Iterator<Token<? extends TokenIdentifier>> tokenIterator = null;
-    try {
-          delegationToken = SecurityUtils.getDelegationTokenFromCredentials();
-    } catch (IOException e) {
-      final String msg = "Error in fetching the WASB delegation token";
-      LOG.error(msg, e);
-      throw new IOException(msg, e);
-    }
-
+    setDelegationToken();
     remoteAuthorizerServiceUrl = SecurityUtils
         .getRemoteAuthServiceUrls(conf);
 
@@ -140,6 +129,7 @@ public class RemoteWasbAuthorizerImpl implements WasbAuthorizerInterface {
           return true;
         }
 
+        setDelegationToken();
         URIBuilder uriBuilder = new URIBuilder(remoteAuthorizerServiceUrl);
         uriBuilder.setPath("/" + CHECK_AUTHORIZATION_OP);
         uriBuilder.addParameter(WASB_ABSOLUTE_PATH_QUERY_PARAM_NAME,
@@ -159,10 +149,6 @@ public class RemoteWasbAuthorizerImpl implements WasbAuthorizerInterface {
         } else {
           uriBuilder.addParameter(Constants.DOAS_PARAM, ugi.getShortUserName());
         }
-        if (isSecurityEnabled && !connectUgi.hasKerberosCredentials()) {
-          connectUgi = UserGroupInformation.getLoginUser();
-        }
-        connectUgi.checkTGTAndReloginFromKeytab();
 
         try {
           responseBody = connectUgi
@@ -218,6 +204,10 @@ public class RemoteWasbAuthorizerImpl implements WasbAuthorizerInterface {
         throw new WasbAuthorizationException(ex);
       }
   }
+
+  private void setDelegationToken() throws IOException {
+    this.delegationToken = SecurityUtils.getDelegationTokenFromCredentials();
+  }
 }
 
 /**

hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azure/security/WasbTokenRenewer.java

@@ -81,9 +81,6 @@ public class WasbTokenRenewer extends TokenRenewer {
     if (connectUgi == null) {
       connectUgi = ugi;
     }
-    if (!connectUgi.hasKerberosCredentials()) {
-      connectUgi = UserGroupInformation.getLoginUser();
-    }
     connectUgi.checkTGTAndReloginFromKeytab();
     final DelegationTokenAuthenticatedURL.Token authToken = new DelegationTokenAuthenticatedURL.Token();
     authToken
@@ -123,9 +120,6 @@ public class WasbTokenRenewer extends TokenRenewer {
     if (connectUgi == null) {
       connectUgi = ugi;
     }
-    if (!connectUgi.hasKerberosCredentials()) {
-      connectUgi = UserGroupInformation.getLoginUser();
-    }
     connectUgi.checkTGTAndReloginFromKeytab();
     final DelegationTokenAuthenticatedURL.Token authToken = new DelegationTokenAuthenticatedURL.Token();
     authToken