Page Comparison

...

1. User can provide pipeline impersonation information as run-time arguments ('system.runtime.keytab.path', 'system.runtime.principal.name') through ‘Run’ option on the UI. User then runs the pipeline.
   Execution flow comes to createUGI() API in DefaultUGIProvider where we check if the entityId is of type ProgramRunId and extract all pipeline run-time arguments as a Map.
2. We then check if the above impersonation properties are present in map or not.
3. If run-time impersonation properties are present, we create a UGI using API UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keytab) and return this UGI. The application will be impersonated using the provided run-time principal/keytab.
4. If either or both of the run-time impersonation properties are absent, CDAP fallback to pre-existing behavior.
5. For Authorization of user to use any Kerberos principal, authorization checks have been added in ProgramLifecycleService APIs run() and start(). Using AuthorizationEnforcer instance, we check if current user has 'admin' privilege access on Kerberos principal specified in run-time arguments. If yes, pipeline is run else exception is thrown to the caller and pipeline fails.