[HADOOP-15997] KMS client uses wrong UGI after HADOOP-14445 - ASF JIRA

Voters

Watch issue

Watchers

Create sub-task

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Blocker
Resolution: Fixed
Affects Version/s: 3.2.0, 3.0.4, 3.1.2
Fix Version/s: 3.2.0, 3.3.0, 3.1.2
Component/s: kms
Labels:
None
Environment:

Hadoop 3.0.x (CDH6.x), Kerberized, HDFS at-rest encryption, multiple KMS

Hadoop Flags:

Reviewed

Description

After ~~HADOOP-14445~~, KMS client always authenticates itself using the credentials from login user, rather than current user.

2018-12-07 15:58:30,663 DEBUG [main] org.apache.hadoop.crypto.key.kms.KMSClientProvider: Using loginUser when Kerberos is enabled but the actual user does not have either KMS Delegation Token or Kerberos Credentials

The log message "Using loginUser when Kerberos is enabled but the actual user does not have either KMS Delegation Token or Kerberos Credentials" is printed because KMSClientProvider#containsKmsDt() is null when it definitely has the kms delegation token.

In fact, KMSClientProvider#containsKmsDt() should select delegation token using clientTokenProvider.selectDelegationToken(creds) rather than checking if its dtService is in the user credentials.

This is done correctly in KMSClientProvider#createAuthenticatedURL though.

We found this bug when it broke Cloudera's Backup and Disaster Recovery tool.

Daryn Sharp Xiao Chen mind taking a look? ~~HADOOP-14445~~ is a huge patch but it is almost perfect except for this bug.