diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-api/src/main/java/org/apache/hadoop/yarn/service/client/ApiServiceClient.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-api/src/main/java/org/apache/hadoop/yarn/service/client/ApiServiceClient.java index 15c1babfc8..09249aef0a 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-api/src/main/java/org/apache/hadoop/yarn/service/client/ApiServiceClient.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-api/src/main/java/org/apache/hadoop/yarn/service/client/ApiServiceClient.java @@ -280,6 +280,17 @@ private Builder getApiClient() throws IOException { */ private Builder getApiClient(String requestPath) throws IOException { + + UserGroupInformation currentUser = UserGroupInformation.getCurrentUser(); + if(currentUser.getRealUser() != null){ + String doAsUser = currentUser.getShortUserName(); + UriBuilder builder = UriBuilder.fromUri(requestPath); + builder.queryParam(RestApiConstants.PARAM_DOAS, doAsUser); + requestPath = builder.build().toString(); + + LOG.debug("yarn-service requestPath={}", requestPath); + } + Client client = Client.create(getClientConfig()); Configuration conf = getConfig(); client.setChunkedEncodingSize(null); diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-api/src/main/java/org/apache/hadoop/yarn/service/webapp/ApiServer.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-api/src/main/java/org/apache/hadoop/yarn/service/webapp/ApiServer.java index 9537e42a8e..eafd6e479a 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-api/src/main/java/org/apache/hadoop/yarn/service/webapp/ApiServer.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-api/src/main/java/org/apache/hadoop/yarn/service/webapp/ApiServer.java @@ -26,6 +26,8 @@ import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.security.AccessControlException; import org.apache.hadoop.security.UserGroupInformation; +import org.apache.hadoop.security.authorize.AuthorizationException; +import org.apache.hadoop.security.authorize.ProxyUsers; import org.apache.hadoop.util.VersionInfo; import org.apache.hadoop.yarn.api.records.ApplicationId; import org.apache.hadoop.yarn.conf.YarnConfiguration; @@ -929,14 +931,28 @@ private UserGroupInformation getProxyUser(HttpServletRequest request) UserGroupInformation proxyUser; UserGroupInformation ugi; String remoteUser = request.getRemoteUser(); + String doAsUser = request.getParameter(PARAM_DOAS); try { if (UserGroupInformation.isSecurityEnabled()) { proxyUser = UserGroupInformation.getLoginUser(); - ugi = UserGroupInformation.createProxyUser(remoteUser, proxyUser); + if(doAsUser == null || doAsUser.equals("") || doAsUser.equals(remoteUser)) { + ugi = UserGroupInformation.createProxyUser(remoteUser, proxyUser); + } else { + UserGroupInformation requestUgi = UserGroupInformation.createRemoteUser(remoteUser); + requestUgi = UserGroupInformation.createProxyUser(doAsUser, requestUgi); + LOG.debug("doAsUser = {}, RemoteUser = {} , RemoteAddress = {} ", + doAsUser, remoteUser, request.getRemoteAddr()); + ProxyUsers.authorize(requestUgi, request.getRemoteAddr()); + ugi = UserGroupInformation.createProxyUser(doAsUser, proxyUser); + LOG.debug("Proxy user Authentication successful"); + } } else { ugi = UserGroupInformation.createRemoteUser(remoteUser); } return ugi; + } catch (AuthorizationException e){ + LOG.warn("Proxy user Authentication exception: {}", e.toString()); + throw new AccessControlException(e); } catch (IOException e) { throw new AccessControlException(e.getCause()); } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-core/src/main/java/org/apache/hadoop/yarn/service/conf/RestApiConstants.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-core/src/main/java/org/apache/hadoop/yarn/service/conf/RestApiConstants.java index 45ad7e4adb..ce9a4deb98 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-core/src/main/java/org/apache/hadoop/yarn/service/conf/RestApiConstants.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-core/src/main/java/org/apache/hadoop/yarn/service/conf/RestApiConstants.java @@ -44,6 +44,7 @@ String PARAM_COMP_NAME = "componentName"; String PARAM_VERSION = "version"; String PARAM_CONTAINER_STATE = "containerState"; + String PARAM_DOAS = "doas"; String MEDIA_TYPE_JSON_UTF8 = MediaType.APPLICATION_JSON + ";charset=utf-8";