[HDFS-16756] RBF proxies the client's user by the login user to enable CacheEntry - ASF JIRA

Log work

Agile Board

Rank to Top

Rank to Bottom

Attach files

Attach Screenshot

Bulk Copy Attachments

Bulk Move Attachments

Voters

Stop watching

Watchers

Create sub-task

Convert to sub-task

Move

Link

Clone

Labels

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 3.4.0
Fix Version/s: 3.4.0
Component/s: rbf
Labels:
- pull-request-available

Target Version/s:

3.4.0
Hadoop Flags:

Reviewed

Description

RBF just proxies the client's user by the login user for Kerberos authentication. If the cluster uses the SIMPLE authentication method, the RBF will not proxies the client's user by the login user, the downstream namespace will not use the real clientIp, clientPort, clientId and callId even if the namenode configured dfs.namenode.ip-proxy-users.

And the related code as bellow:

UserGroupInformation connUGI = ugi;
if (UserGroupInformation.isSecurityEnabled()) {
  UserGroupInformation routerUser = UserGroupInformation.getLoginUser();
  connUGI = UserGroupInformation.createProxyUser(
      ugi.getUserName(), routerUser);
}