New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CDAP-13123 fix stream exploration #9931
CDAP-13123 fix stream exploration #9931
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just two minor comments Yaojie.
if (currUserShortName.equals(masterShortUsername) || currUserShortName.equals(configuredUGI.getShortUserName())) { | ||
return configuredUGI; | ||
// if the current user is not same as cdap master user then it means we are already impersonating some user | ||
// and hence we should not allow another impersonation. See CDAP-8641 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be good to add a reference to CDAP-13123 here, saying that this behavior will likely change in future.
return configuredUGI; | ||
// if the current user is not same as cdap master user then it means we are already impersonating some user | ||
// and hence we should not allow another impersonation. See CDAP-8641 | ||
if (!UserGroupInformation.getCurrentUser().getShortUserName().equals(masterShortUsername)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would be good to store UserGroupInformation.getCurrentUser()
in a temp variable so that we don't have to make multiple calls.
@@ -36,6 +38,7 @@ | |||
public class DefaultImpersonator implements Impersonator { | |||
|
|||
private static final Logger LOG = LoggerFactory.getLogger(DefaultImpersonator.class); | |||
private static final Logger IMPERSONATION_FAILTURE_LOG = Loggers.sampling(LOG, LogSamplers.limitRate(100)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The rate limit frequency is in milliseconds. This mean it is allowed to emit one log per 100 ms. Is that what you wanted?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No. I have updated the pr to emit one log per 100 calls.
@chtyim addressed the comments, pls take a another look, thank you! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
efc681b
to
395981b
Compare
This pr basically reverts #9092, and adds the limit log. Note that this is just a short term fix, created https://issues.cask.co/browse/CDAP-13133 for long term fix.
The stream exploration is failing in impersonated namespace since in https://github.com/caskdata/cdap/blob/release/4.3/cdap-explore/src/main/java/co/cask/cdap/explore/executor/NamespacedExploreQueryExecutorHttpHandler.java#L76 and https://github.com/caskdata/cdap/blob/release/4.3/cdap-data-fabric/src/main/java/co/cask/cdap/data2/transaction/stream/FileStreamAdmin.java#L284, we will do two impersonator calls. In first call, CDAP will try to impersonate as the namespace owner. This can access the system dataset because of https://github.com/caskdata/cdap/blob/release/4.3/cdap-data-fabric/src/main/java/co/cask/cdap/data2/datafabric/dataset/DatasetServiceClient.java#L345-L357. But in second call, the namespace owner will try to impersonate the stream owner, but this is not allowed in our impersonator model and since the current ugi is not equal to cdap master principal, the namespace owner will not be able to access the owner store.