...
- User can provide pipeline impersonation information as run-time configs iarguments ('pipeline.keytab.path', 'pipeline.principal.name') through ‘Configure’ ‘Run’ option on the UI as extra configuration properties in ‘Engine’ config box. User then runs the pipeline.
Execution flow comes to DistributedProgramRunner createUGI() API in DefaultUGIProvider where we extract these check if the entityId is of type ProgramRunId and extract all pipeline run-time configs using ‘program.getApplicationSpecification().getConfiguration()’.arguments as a Map. - We then extract ‘properties’ map from this configuration string and check if the above run-time impersonation properties are present in map or not. If yes, the program
- If runtime impersonation properties are present, we create a UGI using API UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keytab) and return this UGI. The application will be impersonated using the provided run-time principal/keytab by calling a new API 'impersonator.doAs(entityId, callable, keytab, principal)' else will fallback to default CDAP behavior.The new API implementation creates a new UGI if kerberos is enabled, using UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keytab) and calls ImpersonationUtils.doAs(ugi, callable).
- If either or both of the runtime impersonation properties are absent, CDAP fallback to pre-existing behavior.
ToDo:
- How to handle Authorization? : Is the current user (who submits the run) allowed to impersonate the principal?
...