hadoop-common-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From omal...@apache.org
Subject svn commit: r1077465 - in /hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop: ipc/Client.java security/UserGroupInformation.java
Date Fri, 04 Mar 2011 04:17:49 GMT
Author: omalley
Date: Fri Mar  4 04:17:49 2011
New Revision: 1077465

URL: http://svn.apache.org/viewvc?rev=1077465&view=rev
Log:
commit 652fe6f04263a70084a7595c3af47d4f610c5569
Author: Boris Shkolnik <borya@yahoo-inc.com>
Date:   Fri May 14 17:35:40 2010 -0700

    HADOOP:6706 from https://issues.apache.org/jira/secure/attachment/12444549/HADOOP-6706-BP20-fix3.patch
    
    +++ b/YAHOO-CHANGES.txt
    +    HADOOP-6706.FIX. Relogin behavior for RPC clients could be improved
    +    (boryas)
    +

Modified:
    hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/ipc/Client.java
    hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/UserGroupInformation.java

Modified: hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/ipc/Client.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/ipc/Client.java?rev=1077465&r1=1077464&r2=1077465&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/ipc/Client.java
(original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/ipc/Client.java
Fri Mar  4 04:17:49 2011
@@ -358,9 +358,13 @@ public class Client {
         UserGroupInformation.getCurrentUser();
       UserGroupInformation realUser = currentUser.getRealUser();
       if (authMethod == AuthMethod.KERBEROS && 
+          loginUser != null &&
+          //Make sure user logged in using Kerberos either keytab or TGT
+          loginUser.hasKerberosCredentials() && 
           // relogin only in case it is the login user (e.g. JT)
-          // or superuser (like oozie).
-          (currentUser.equals(loginUser) || loginUser.equals(realUser))) {
+          // or superuser (like oozie). 
+          (loginUser.equals(currentUser) || loginUser.equals(realUser))
+          ) {
           return true;
       }
       return false;

Modified: hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/UserGroupInformation.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/UserGroupInformation.java?rev=1077465&r1=1077464&r2=1077465&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/UserGroupInformation.java
(original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/UserGroupInformation.java
Fri Mar  4 04:17:49 2011
@@ -269,6 +269,7 @@ public class UserGroupInformation {
   // All non-static fields must be read-only caches that come from the subject.
   private final User user;
   private final boolean isKeytab;
+  private final boolean isKrbTkt;
   
   private static final String OS_LOGIN_MODULE_NAME;
   private static final Class<? extends Principal> OS_PRINCIPAL_CLASS;
@@ -410,6 +411,15 @@ public class UserGroupInformation {
     this.subject = subject;
     this.user = subject.getPrincipals(User.class).iterator().next();
     this.isKeytab = !subject.getPrivateCredentials(KerberosKey.class).isEmpty();
+    this.isKrbTkt = !subject.getPrivateCredentials(KerberosTicket.class).isEmpty();
+  }
+  
+  /**
+   * checks if logged in using kerberos
+   * @return true if the subject logged via keytab or has a Kerberos TGT
+   */
+  public boolean hasKerberosCredentials() {
+    return isKeytab || isKrbTkt;
   }
 
   /**
@@ -598,7 +608,7 @@ public class UserGroupInformation {
   throws IOException {
     if (!isSecurityEnabled() || 
         user.getAuthenticationMethod() != AuthenticationMethod.KERBEROS ||
-        isKeytab)
+        !isKrbTkt)
       return;
     LoginContext login = getLogin();
     if (login == null) {



Mime
View raw message