HDDS-6175. Use s3Auth during proxy during decrypt in RpcClient. (#2981)

* HDDS-6175. Use s3Auth during proxy during decrypt in RpcClient.
apache · Jan 13, 2022 · 5447f58 · 5447f58
1 parent 195737d
commit 5447f58
Showing 1 changed file with 10 additions and 6 deletions.
diff --git a/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/rpc/RpcClient.java b/hadoop-ozone/client/src/main/java/org/apache/hadoop/ozone/client/rpc/RpcClient.java
@@ -874,13 +874,17 @@ private KeyProvider.KeyVersion getDEK(FileEncryptionInfo feInfo)
     OzoneKMSUtil.checkCryptoProtocolVersion(feInfo);
     KeyProvider.KeyVersion decrypted = null;
     try {
-      // Do proxy thing only when current UGI not matching with login UGI
-      // In this way, proxying is done only for s3g where
-      // s3g can act as proxy to end user.
+
+      // After HDDS-5881 the user will not be different,
+      // as S3G uses single RpcClient. So we should be checking thread-local
+      // S3Auth and use it during proxy.
       UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
-      if (!ugi.getShortUserName().equals(loginUser.getShortUserName())) {
-        UserGroupInformation proxyUser = UserGroupInformation.createProxyUser(
-            ugi.getShortUserName(), loginUser);
+      UserGroupInformation proxyUser;
+      if (getThreadLocalS3Auth() != null) {
+        UserGroupInformation s3gUGI = UserGroupInformation.createRemoteUser(
+            getThreadLocalS3Auth().getAccessID());
+        proxyUser = UserGroupInformation.createProxyUser(
+            s3gUGI.getShortUserName(), loginUser);
         decrypted = proxyUser.doAs(
             (PrivilegedExceptionAction<KeyProvider.KeyVersion>) () -> {
               return OzoneKMSUtil.decryptEncryptedDataEncryptionKey(feInfo,