Explore query on streams fails in an impersonated namespace with authorization enabled

Description

In https://github.com/caskdata/cdap/pull/9092, we had a regressive bug about the stream explore query. We try to access the owner store before we check the current ugi is able to impersonate. If the user does not have access the owner store, an UnAuthorizedException is thrown.

Release Notes

Fixed a bug where an ad-hoc exploration query on streams would fail in an impersonated namespace.

Activity

Show:
Yaojie Feng
February 27, 2018, 12:04 AM
Yaojie Feng
February 26, 2018, 7:21 PM

The stream exploration is failing in impersonated namespace since in https://github.com/caskdata/cdap/blob/release/4.3/cdap-explore/src/main/java/co/cask/cdap/explore/executor/NamespacedExploreQueryExecutorHttpHandler.java#L76 and https://github.com/caskdata/cdap/blob/release/4.3/cdap-data-fabric/src/main/java/co/cask/cdap/data2/transaction/stream/FileStreamAdmin.java#L284, we will do two impersonator calls. In first call, CDAP will try to impersonate as the namespace owner. This can access the system dataset because of https://github.com/caskdata/cdap/blob/release/4.3/cdap-data-fabric/src/main/java/co/cask/cdap/data2/datafabric/dataset/DatasetServiceClient.java#L345-L357. But in second call, the namespace owner will try to impersonate the stream owner, but this is not allowed in our impersonator model and since the current ugi is not equal to cdap master principal, the namespace owner will not be able to access the owner store.

Fixed

Assignee

Yaojie Feng

Reporter

Yaojie Feng

Labels

Docs Impact

None

UX Impact

None

Components

Fix versions

Affects versions

Priority

Major