Thanks Xiaoyu Yao for the review and suggestions.
I'm neural on #1: it definitely touches less code path and hence safer. OTOH, it feels like a good idea to try fix it in a more general way, to save us efforts in finding and fixing all places in the caller.
For #2, please correct me if I misunderstood. The reason we have actualUgi is that we want to perform the operation under the creator of the KMSCP. UGI#doAs will do this, and once inside the doAs, UGI#getCurrentUser will return the current user considering the doAs stack, which is actualUgi. UGI getCurrentUser also has a comment about this. I have added 1 code block in the unit test to show that proxy user works. Not sure about how to test TOKEN programmatically, but manually verified it to work as well. (Tested via the webhdsf case in
HADOOP-12787, nice fix! )