feat: use catalog ugi when no proxy user is specified

apache · Mar 31, 2024 · acba7ad · acba7ad
1 parent 32451f4
commit acba7ad
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 17 deletions.
diff --git a/ams/server/src/main/java/com/netease/arctic/server/terminal/TerminalSessionContext.java b/ams/server/src/main/java/com/netease/arctic/server/terminal/TerminalSessionContext.java
@@ -21,7 +21,6 @@
 import com.netease.arctic.api.config.Configurations;
 import com.netease.arctic.table.TableMetaStore;
 import org.apache.commons.io.Charsets;
-import org.apache.commons.lang.StringUtils;
 import org.apache.iceberg.relocated.com.google.common.collect.Lists;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -296,13 +295,9 @@ boolean executeStatement(TerminalSession session, String statement, int lineNo)
       TerminalSession.ResultSet rs = null;
       long begin = System.currentTimeMillis();
       try {
-        if (StringUtils.isBlank(proxyUser)) {
-          rs = session.executeStatement(catalog, statement);
-        } else {
-          rs =
-              tableMetaStore.doAsImpersonating(
-                  proxyUser, () -> session.executeStatement(catalog, statement));
-        }
+        rs =
+            tableMetaStore.doAsImpersonating(
+                proxyUser, () -> session.executeStatement(catalog, statement));
         executionResult.appendLogs(session.logs());
       } catch (Throwable t) {
         executionResult.appendLogs(session.logs());

diff --git a/core/src/main/java/com/netease/arctic/table/TableMetaStore.java b/core/src/main/java/com/netease/arctic/table/TableMetaStore.java
@@ -218,15 +218,22 @@ public <T> T doAsImpersonating(String proxyUser, Callable<T> callable) {
     if (disableAuth) {
       return call(callable);
     }
-    // create proxy user ugi and execute
-    UserGroupInformation proxyUgi =
-        UserGroupInformation.createProxyUser(proxyUser, Objects.requireNonNull(getUGI()));
-    LOG.debug(
-        "Access through the proxy account {}, proxy ugi {}, original ugi {}.",
-        proxyUser,
-        proxyUgi,
-        getUGI());
-    return proxyUgi.doAs((PrivilegedAction<T>) () -> call(callable));
+    if (StringUtils.isBlank(proxyUser)) {
+      // use the catalog ugi to execute
+      UserGroupInformation catalogUgi = getUGI();
+      LOG.debug("Access through the catalog ugi {}.", catalogUgi);
+      return catalogUgi.doAs((PrivilegedAction<T>) () -> call(callable));
+    } else {
+      // create proxy user ugi and execute
+      UserGroupInformation proxyUgi =
+          UserGroupInformation.createProxyUser(proxyUser, Objects.requireNonNull(getUGI()));
+      LOG.debug(
+          "Access through the proxy account {}, proxy ugi {}, original ugi {}.",
+          proxyUser,
+          proxyUgi,
+          getUGI());
+      return proxyUgi.doAs((PrivilegedAction<T>) () -> call(callable));
+    }
   }
 
   private <T> T call(Callable<T> callable) {