Introduction
The purpose of the document is to capture requirements as well as implementation details of adding Run-time impersonation support for CDAP Pipelines developed through UI.
Requirements
Here's are the requirements for this feature:
- In NIFI, users can provide Kerberos principal name and path to keytab in the flow/processor properties which is used during execution to impersonate user. In a similar fashion, user should be able to provide principal name/keytab location as arguments/properties to CDAP pipelines at run-time which should be then be used for impersonation.
- Flexibility to provide new Principal and keytab properties for a pipeline on UI as well as REST API.
- It should be possible to run the same CDAP pipeline again with different values of Kerberos principal and keytab properties (possibly by the same user).
Implementation
- User can provide pipeline run-time configs ('pipeline.keytab', 'pipeline.principal') through ‘Configure’ option on the UI as extra configuration properties in ‘Engine’ config box. User then runs the pipeline.
- Execution flow comes to DistributedProgramRunner where we extract these pipeline run-time configs using ‘program.getApplicationSpecification().getConfiguration()’.
- We then extract ‘properties’ map from this configuration string and check if the above run-time properties are present in map or not. If yes, the program will be impersonated using the provided run-time principal/keytab by calling a new API 'impersonator.doAs(entityId, callable, keytab, principal)' else will fallback to default CDAP behavior.
- The new API implementation creates a new UGI if kerberos is enabled, using UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keytab) and calls ImpersonationUtils.doAs(ugi, callable).
ToDo:
- How to handle Authorization? : Is the current user (who submits the run) allowed to impersonate the principal?