Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. User can provide pipeline impersonation information as run-time iarguments arguments ('pipelinesystem.runtime.keytab.path', 'pipelinesystem.runtime.principal.name') through ‘Run’ option on the UI. User then runs the pipeline.
    Execution flow comes to createUGI() API in DefaultUGIProvider where we check if the entityId is of type ProgramRunId and extract all pipeline run-time arguments as a Map.
  2. We then check if the above impersonation properties are present in map or not.
  3. If runtime run-time impersonation properties are present, we create a UGI using API UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keytab) and return this UGI. The application will be impersonated using the provided run-time principal/keytab.
  4. If either or both of the runtime run-time impersonation properties are absent, CDAP fallback to pre-existing behavior.

ToDo:

...

  1. For Authorization of user to use any Kerberos principal, authorization checks have been added in ProgramLifecycleService APIs run() and start(). Using AuthorizationEnforcer instance, we check if current user has 'admin' privilege access on Kerberos principal specified in run-time arguments. If yes, pipeline is run else exception is thrown to the caller and pipeline fails.