CDAP-13123 fix stream exploration #9931
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| if (currUserShortName.equals(masterShortUsername) || currUserShortName.equals(configuredUGI.getShortUserName())) { | ||
| return configuredUGI; | ||
| // if the current user is not same as cdap master user then it means we are already impersonating some user | ||
| // and hence we should not allow another impersonation. See CDAP-8641 |
There was a problem hiding this comment.
It would be good to add a reference to CDAP-13123 here, saying that this behavior will likely change in future.
| return configuredUGI; | ||
| // if the current user is not same as cdap master user then it means we are already impersonating some user | ||
| // and hence we should not allow another impersonation. See CDAP-8641 | ||
| if (!UserGroupInformation.getCurrentUser().getShortUserName().equals(masterShortUsername)) { |
There was a problem hiding this comment.
Would be good to store UserGroupInformation.getCurrentUser() in a temp variable so that we don't have to make multiple calls.
chtyim
reviewed
Feb 26, 2018
| @@ -36,6 +38,7 @@ | |||
| public class DefaultImpersonator implements Impersonator { | |||
|
|
|||
| private static final Logger LOG = LoggerFactory.getLogger(DefaultImpersonator.class); | |||
| private static final Logger IMPERSONATION_FAILTURE_LOG = Loggers.sampling(LOG, LogSamplers.limitRate(100)); | |||
There was a problem hiding this comment.
The rate limit frequency is in milliseconds. This mean it is allowed to emit one log per 100 ms. Is that what you wanted?
There was a problem hiding this comment.
No. I have updated the pr to emit one log per 100 calls.
|
@chtyim addressed the comments, pls take a another look, thank you! |
yaojiefeng
force-pushed
the
feature_release/CDAP-13123-fix-stream-explore
branch
from
efc681b
to
395981b
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pr basically reverts #9092, and adds the limit log. Note that this is just a short term fix, created https://issues.cask.co/browse/CDAP-13133 for long term fix.
The stream exploration is failing in impersonated namespace since in https://github.com/caskdata/cdap/blob/release/4.3/cdap-explore/src/main/java/co/cask/cdap/explore/executor/NamespacedExploreQueryExecutorHttpHandler.java#L76 and https://github.com/caskdata/cdap/blob/release/4.3/cdap-data-fabric/src/main/java/co/cask/cdap/data2/transaction/stream/FileStreamAdmin.java#L284, we will do two impersonator calls. In first call, CDAP will try to impersonate as the namespace owner. This can access the system dataset because of https://github.com/caskdata/cdap/blob/release/4.3/cdap-data-fabric/src/main/java/co/cask/cdap/data2/datafabric/dataset/DatasetServiceClient.java#L345-L357. But in second call, the namespace owner will try to impersonate the stream owner, but this is not allowed in our impersonator model and since the current ugi is not equal to cdap master principal, the namespace owner will not be able to access the owner store.