HDDS-6175. Use s3Auth during proxy during decrypt in RpcClient. (apac…

…he#2981) * HDDS-6175. Use s3Auth during proxy during decrypt in RpcClient.
JacksonYao287 · Feb 9, 2022 · 4a17414 · 4a17414
1 parent 63fb648
commit 4a17414
Showing 1 changed file with 10 additions and 6 deletions.
diff --git a/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/rpc/RpcClient.java b/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/rpc/RpcClient.java
@@ -863,13 +863,17 @@ private KeyProvider.KeyVersion getDEK(FileEncryptionInfo feInfo)
     OzoneKMSUtil.checkCryptoProtocolVersion(feInfo);
     KeyProvider.KeyVersion decrypted = null;
     try {
-      // Do proxy thing only when current UGI not matching with login UGI
-      // In this way, proxying is done only for s3g where
-      // s3g can act as proxy to end user.
+
+      // After HDDS-5881 the user will not be different,
+      // as S3G uses single RpcClient. So we should be checking thread-local
+      // S3Auth and use it during proxy.
       UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
-      if (!ugi.getShortUserName().equals(loginUser.getShortUserName())) {
-        UserGroupInformation proxyUser = UserGroupInformation.createProxyUser(
-            ugi.getShortUserName(), loginUser);
+      UserGroupInformation proxyUser;
+      if (getThreadLocalS3Auth() != null) {
+        UserGroupInformation s3gUGI = UserGroupInformation.createRemoteUser(
+            getThreadLocalS3Auth().getAccessID());
+        proxyUser = UserGroupInformation.createProxyUser(
+            s3gUGI.getShortUserName(), loginUser);
         decrypted = proxyUser.doAs(
             (PrivilegedExceptionAction<KeyProvider.KeyVersion>) () -> {
               return OzoneKMSUtil.decryptEncryptedDataEncryptionKey(feInfo,