Uploaded image for project: 'CDAP'
  1. CDAP
  2. CDAP-11985

The UGI cache should return correct ugi for each entity

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 4.2.0, 4.1.1
    • Fix Version/s: 4.3.0, 4.2.1, 4.1.2
    • Component/s: Security
    • Labels:
      None
    • Release Notes:
      Fixed a bug that ugi provider returns the old and incorrect ugi information.
    • Rank:
      1|i0049b:

      Description

      We are using ImpersonationRequest as the cache key for the impersonation cache. But since we do not know the principal when we make the request, when two different principals try to get the ugi in the cache timeout, the ugi we return will always be for the first principal.
      To reproduce,
      create a namespace as cdap,
      delete the namespace,
      create a namespace impersonated as alice, (alice does not have permission on hdfs),
      creation will succeed since on hdfs we are impersonating as cdap

        Attachments

          Activity

            People

            • Assignee:
              yaojie Yaojie Feng
              Reporter:
              yaojie Yaojie Feng
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: