private UserGroupInformation getUGI(NamespacedEntityId entityId, ImpersonatedOpType impersonatedOpType) throws IOException { UserGroupInformation currentUser = UserGroupInformation.getCurrentUser(); // don't impersonate if kerberos isn't enabled OR if the operation is in the system namespace if (!kerberosEnabled || NamespaceId.SYSTEM.equals(entityId.getNamespaceId())) { return currentUser; } ImpersonationRequest impersonationRequest = new ImpersonationRequest(entityId, impersonatedOpType); // if the current user is not same as cdap master user then it means we are already impersonating some user // and hence we should not allow another impersonation. See CDAP-8641 and CDAP-13123 // Note that this is just a temporary fix and we will need to revisit the impersonation model in the future. if (!currentUser.getShortUserName().equals(masterShortUsername)) { LOG.debug("Not impersonating for {} as the call is already impersonated as {}", impersonationRequest, currentUser); IMPERSONATION_FAILTURE_LOG.warn("Not impersonating for {} as the call is already impersonated as {}", impersonationRequest, currentUser); return currentUser; } return ugiProvider.getConfiguredUGI(impersonationRequest).getUGI(); } }
UGIWithPrincipal ugiWithPrincipal; try { ugiWithPrincipal = ugiProvider.getConfiguredUGI(impersonationRequest); } catch (IOException e) { throw new ServiceException(e, HttpResponseStatus.INTERNAL_SERVER_ERROR);
UGIWithPrincipal ugiWithPrincipal; try { ugiWithPrincipal = ugiProvider.getConfiguredUGI(impersonationRequest); } catch (IOException e) { throw new ServiceException(e, HttpResponseStatus.INTERNAL_SERVER_ERROR);
private UGIWithPrincipal verifyAndGetUGI(UGIProvider provider, KerberosPrincipalId principalId, ImpersonationRequest impersonationRequest) throws IOException { UGIWithPrincipal ugiWithPrincipal = provider.getConfiguredUGI(impersonationRequest); Assert.assertEquals(UserGroupInformation.AuthenticationMethod.KERBEROS, ugiWithPrincipal.getUGI().getAuthenticationMethod()); Assert.assertEquals(principalId.getPrincipal(), ugiWithPrincipal.getPrincipal()); Assert.assertTrue(ugiWithPrincipal.getUGI().hasKerberosCredentials()); // Fetch it again, it is should return the same UGI since there is caching Assert.assertSame(ugiWithPrincipal.getUGI(), provider.getConfiguredUGI(impersonationRequest).getUGI()); return ugiWithPrincipal; }