throw new ServiceException(e, HttpResponseStatus.INTERNAL_SERVER_ERROR); Credentials credentials = ImpersonationUtils.doAs(ugiWithPrincipal.getUGI(), new Callable<Credentials>() { @Override public Credentials call() throws Exception { credentials.writeTokenStorageToStream(os); LOG.debug("Wrote credentials for user {} to {}", ugiWithPrincipal.getPrincipal(), credentialsFile); PrincipalCredentials principalCredentials = new PrincipalCredentials(ugiWithPrincipal.getPrincipal(), credentialsFile.toURI().toString()); responder.sendJson(HttpResponseStatus.OK, GSON.toJson(principalCredentials));
@Override public UGIWithPrincipal getConfiguredUGI(ImpersonationRequest impersonationRequest) throws IOException { return new UGIWithPrincipal(authenticationContext.getPrincipal().getKerberosPrincipal(), UserGroupInformation.getCurrentUser()); } }
private UserGroupInformation getUGI(NamespacedEntityId entityId, ImpersonatedOpType impersonatedOpType) throws IOException { UserGroupInformation currentUser = UserGroupInformation.getCurrentUser(); // don't impersonate if kerberos isn't enabled OR if the operation is in the system namespace if (!kerberosEnabled || NamespaceId.SYSTEM.equals(entityId.getNamespaceId())) { return currentUser; } ImpersonationRequest impersonationRequest = new ImpersonationRequest(entityId, impersonatedOpType); // if the current user is not same as cdap master user then it means we are already impersonating some user // and hence we should not allow another impersonation. See CDAP-8641 and CDAP-13123 // Note that this is just a temporary fix and we will need to revisit the impersonation model in the future. if (!currentUser.getShortUserName().equals(masterShortUsername)) { LOG.debug("Not impersonating for {} as the call is already impersonated as {}", impersonationRequest, currentUser); IMPERSONATION_FAILTURE_LOG.warn("Not impersonating for {} as the call is already impersonated as {}", impersonationRequest, currentUser); return currentUser; } return ugiProvider.getConfiguredUGI(impersonationRequest).getUGI(); } }
Assert.assertFalse(aliceUGIWithPrincipal.getUGI().hasKerberosCredentials()); aliceUGIWithPrincipal.getUGI().getCredentials().getToken(new Text("entity")); Assert.assertArrayEquals(aliceEntity.toString().getBytes(StandardCharsets.UTF_8), token.getIdentifier()); Assert.assertArrayEquals(aliceEntity.toString().getBytes(StandardCharsets.UTF_8), token.getPassword()); Assert.assertEquals(new Text("service"), token.getService()); token = aliceUGIWithPrincipal.getUGI().getCredentials().getToken(new Text("opType")); Assert.assertArrayEquals(aliceImpRequest.getImpersonatedOpType().toString().getBytes(StandardCharsets.UTF_8), token.getIdentifier());
private UGIWithPrincipal verifyAndGetUGI(UGIProvider provider, KerberosPrincipalId principalId, ImpersonationRequest impersonationRequest) throws IOException { UGIWithPrincipal ugiWithPrincipal = provider.getConfiguredUGI(impersonationRequest); Assert.assertEquals(UserGroupInformation.AuthenticationMethod.KERBEROS, ugiWithPrincipal.getUGI().getAuthenticationMethod()); Assert.assertEquals(principalId.getPrincipal(), ugiWithPrincipal.getPrincipal()); Assert.assertTrue(ugiWithPrincipal.getUGI().hasKerberosCredentials()); // Fetch it again, it is should return the same UGI since there is caching Assert.assertSame(ugiWithPrincipal.getUGI(), provider.getConfiguredUGI(impersonationRequest).getUGI()); return ugiWithPrincipal; }
return new UGIWithPrincipal(impersonationRequest.getPrincipal(), UserGroupInformation.getCurrentUser()); return new UGIWithPrincipal(impersonationRequest.getPrincipal(), loggedInUGI); } finally { if (!isKeytabLocal && !localKeytabFile.delete()) {
throw new ServiceException(e, HttpResponseStatus.INTERNAL_SERVER_ERROR); Credentials credentials = ImpersonationUtils.doAs(ugiWithPrincipal.getUGI(), new Callable<Credentials>() { @Override public Credentials call() throws Exception { credentials.writeTokenStorageToStream(os); LOG.debug("Wrote credentials for user {} to {}", ugiWithPrincipal.getPrincipal(), credentialsFile); PrincipalCredentials principalCredentials = new PrincipalCredentials(ugiWithPrincipal.getPrincipal(), credentialsFile.toURI().toString()); responder.sendJson(HttpResponseStatus.OK, GSON.toJson(principalCredentials));
@Override protected UGIWithPrincipal createUGI(ImpersonationRequest impersonationRequest) throws IOException { ImpersonationRequest jsonRequest = new ImpersonationRequest(impersonationRequest.getEntityId(), impersonationRequest.getImpersonatedOpType(), impersonationRequest.getPrincipal()); PrincipalCredentials principalCredentials = GSON.fromJson(executeRequest(jsonRequest).getResponseBodyAsString(), PrincipalCredentials.class); LOG.debug("Received response: {}", principalCredentials); Location location = locationFactory.create(URI.create(principalCredentials.getCredentialsPath())); try { String user = principalCredentials.getPrincipal(); if (impersonationRequest.getImpersonatedOpType() == ImpersonatedOpType.EXPLORE) { // For explore operations, we use the short name in UserGroupInformation, to avoid an incorrect // check in Hive. See CDAP-12930 user = new KerberosName(user).getShortName(); } UserGroupInformation impersonatedUGI = UserGroupInformation.createRemoteUser(user); impersonatedUGI.addCredentials(readCredentials(location)); return new UGIWithPrincipal(principalCredentials.getPrincipal(), impersonatedUGI); } finally { try { if (!location.delete()) { LOG.warn("Failed to delete location: {}", location); } } catch (IOException e) { LOG.warn("Exception raised when deleting location {}", location, e); } } }
eveUGIWithPrincipal.getUGI().getAuthenticationMethod()); Assert.assertTrue(eveUGIWithPrincipal.getUGI().hasKerberosCredentials()); Assert.assertEquals(eveKerberosPrincipalId.getPrincipal(), eveUGIWithPrincipal.getPrincipal());