Explore query on streams fails in an impersonated namespace with authorization enabled
In https://github.com/caskdata/cdap/pull/9092, we had a regressive bug about the stream explore query. We try to access the owner store before we check the current ugi is able to impersonate. If the user does not have access the owner store, an UnAuthorizedException is thrown.
Fixed a bug where an ad-hoc exploration query on streams would fail in an impersonated namespace.
The stream exploration is failing in impersonated namespace since in https://github.com/caskdata/cdap/blob/release/4.3/cdap-explore/src/main/java/co/cask/cdap/explore/executor/NamespacedExploreQueryExecutorHttpHandler.java#L76 and https://github.com/caskdata/cdap/blob/release/4.3/cdap-data-fabric/src/main/java/co/cask/cdap/data2/transaction/stream/FileStreamAdmin.java#L284, we will do two impersonator calls. In first call, CDAP will try to impersonate as the namespace owner. This can access the system dataset because of https://github.com/caskdata/cdap/blob/release/4.3/cdap-data-fabric/src/main/java/co/cask/cdap/data2/datafabric/dataset/DatasetServiceClient.java#L345-L357. But in second call, the namespace owner will try to impersonate the stream owner, but this is not allowed in our impersonator model and since the current ugi is not equal to cdap master principal, the namespace owner will not be able to access the owner store.