hadoop-common-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kih...@apache.org
Subject svn commit: r1594058 - in /hadoop/common/branches/branch-2.4/hadoop-common-project: hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/ hadoop-common/src/main/java/org/apache/hadoop/http/
Date Mon, 12 May 2014 19:14:19 GMT
Author: kihwal
Date: Mon May 12 19:14:18 2014
New Revision: 1594058

URL: http://svn.apache.org/r1594058
Log:
Fixing a prev merge/commit error

Modified:
    hadoop/common/branches/branch-2.4/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
    hadoop/common/branches/branch-2.4/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer.java

Modified: hadoop/common/branches/branch-2.4/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2.4/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java?rev=1594058&r1=1594057&r2=1594058&view=diff
==============================================================================
--- hadoop/common/branches/branch-2.4/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
(original)
+++ hadoop/common/branches/branch-2.4/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
Mon May 12 19:14:18 2014
@@ -26,6 +26,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import javax.security.auth.Subject;
+import javax.security.auth.kerberos.KerberosPrincipal;
 import javax.security.auth.login.AppConfigurationEntry;
 import javax.security.auth.login.Configuration;
 import javax.security.auth.login.LoginContext;
@@ -35,9 +36,11 @@ import javax.servlet.http.HttpServletReq
 import javax.servlet.http.HttpServletResponse;
 import java.io.File;
 import java.io.IOException;
+import java.security.Principal;
 import java.security.PrivilegedActionException;
 import java.security.PrivilegedExceptionAction;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.Map;
 import java.util.Properties;
 import java.util.Set;
@@ -140,7 +143,7 @@ public class KerberosAuthenticationHandl
   private String principal;
   private String keytab;
   private GSSManager gssManager;
-  private Subject serverSubject = new Subject();
+  private LoginContext loginContext;
 
   /**
    * Initializes the authentication handler instance.
@@ -173,20 +176,17 @@ public class KerberosAuthenticationHandl
         KerberosName.setRules(nameRules);
       }
       
+      Set<Principal> principals = new HashSet<Principal>();
+      principals.add(new KerberosPrincipal(principal));
+      Subject subject = new Subject(false, principals, new HashSet<Object>(), new HashSet<Object>());
+
+      KerberosConfiguration kerberosConfiguration = new KerberosConfiguration(keytab, principal);
+
       LOG.info("Login using keytab "+keytab+", for principal "+principal);
-      for (String servicePrincipal : principal.split(",")) {
-        final KerberosConfiguration kerberosConfiguration =
-            new KerberosConfiguration(keytab, servicePrincipal);
-        final LoginContext loginContext =
-            new LoginContext("", serverSubject, null, kerberosConfiguration);
-        try {
-          loginContext.login();
-        } catch (LoginException le) {
-          LOG.warn("Failed to login as [{}]", servicePrincipal, le);
-          throw new AuthenticationException(le);          
-        }
-        serverSubject.getPrivateCredentials().add(loginContext);
-      }
+      loginContext = new LoginContext("", subject, null, kerberosConfiguration);
+      loginContext.login();
+
+      Subject serverSubject = loginContext.getSubject();
       try {
         gssManager = Subject.doAs(serverSubject, new PrivilegedExceptionAction<GSSManager>()
{
 
@@ -211,17 +211,13 @@ public class KerberosAuthenticationHandl
    */
   @Override
   public void destroy() {
-    if (serverSubject != null) {
-      final Set<LoginContext> logins =
-          serverSubject.getPrivateCredentials(LoginContext.class);
-      for (LoginContext login : logins) {
-        try {
-          login.logout();
-        } catch (LoginException ex) {
-          LOG.warn(ex.getMessage(), ex);
-        }
+    try {
+      if (loginContext != null) {
+        loginContext.logout();
+        loginContext = null;
       }
-      serverSubject = null;
+    } catch (LoginException ex) {
+      LOG.warn(ex.getMessage(), ex);
     }
   }
 
@@ -308,7 +304,7 @@ public class KerberosAuthenticationHandl
       authorization = authorization.substring(KerberosAuthenticator.NEGOTIATE.length()).trim();
       final Base64 base64 = new Base64(0);
       final byte[] clientToken = base64.decode(authorization);
-      final String serverName = request.getServerName();
+      Subject serverSubject = loginContext.getSubject();
       try {
         token = Subject.doAs(serverSubject, new PrivilegedExceptionAction<AuthenticationToken>()
{
 
@@ -318,15 +314,15 @@ public class KerberosAuthenticationHandl
             GSSContext gssContext = null;
             GSSCredential gssCreds = null;
             try {
-              gssCreds = gssManager.createCredential(
-                  gssManager.createName(
-                      KerberosUtil.getServicePrincipal("HTTP", serverName),
-                      KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL")),
-                  GSSCredential.INDEFINITE_LIFETIME,
-                  new Oid[]{
-                    KerberosUtil.getOidInstance("GSS_SPNEGO_MECH_OID"),
-                    KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID")},
-                  GSSCredential.ACCEPT_ONLY);
+              if (IBM_JAVA) {
+                // IBM JDK needs non-null credentials to be passed to createContext here,
with
+                // SPNEGO mechanism specified, otherwise JGSS will use its default mechanism
+                // only, which is Kerberos V5.
+                gssCreds = gssManager.createCredential(null, GSSCredential.INDEFINITE_LIFETIME,
+                    new Oid[]{KerberosUtil.getOidInstance("GSS_SPNEGO_MECH_OID"),
+                        KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID")},
+                    GSSCredential.ACCEPT_ONLY);
+              }
               gssContext = gssManager.createContext(gssCreds);
               byte[] serverToken = gssContext.acceptSecContext(clientToken, 0, clientToken.length);
               if (serverToken != null && serverToken.length > 0) {

Modified: hadoop/common/branches/branch-2.4/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2.4/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer.java?rev=1594058&r1=1594057&r2=1594058&view=diff
==============================================================================
--- hadoop/common/branches/branch-2.4/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer.java
(original)
+++ hadoop/common/branches/branch-2.4/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer.java
Mon May 12 19:14:18 2014
@@ -62,7 +62,6 @@ import org.apache.hadoop.security.author
 import org.apache.hadoop.security.ssl.SSLFactory;
 import org.apache.hadoop.util.ReflectionUtils;
 import org.apache.hadoop.util.Shell;
-import org.apache.hadoop.util.StringUtils;
 import org.mortbay.io.Buffer;
 import org.mortbay.jetty.Connector;
 import org.mortbay.jetty.Handler;
@@ -671,16 +670,11 @@ public class HttpServer implements Filte
   protected void initSpnego(Configuration conf,
       String usernameConfKey, String keytabConfKey) throws IOException {
     Map<String, String> params = new HashMap<String, String>();
-    String[] principalsInConf = conf.getStrings(usernameConfKey);
-    if (principalsInConf != null && principalsInConf.length != 0) {
-      for (int i=0; i < principalsInConf.length; i++) {
-        principalsInConf[i] =
-            SecurityUtil.getServerPrincipal(principalsInConf[i], listener.getHost());
-      }
+    String principalInConf = conf.get(usernameConfKey);
+    if (principalInConf != null && !principalInConf.isEmpty()) {
       params.put("kerberos.principal",
-          StringUtils.join(",", principalsInConf));
+                 SecurityUtil.getServerPrincipal(principalInConf, listener.getHost()));
     }
-
     String httpKeytab = conf.get(keytabConfKey);
     if (httpKeytab != null && !httpKeytab.isEmpty()) {
       params.put("kerberos.keytab", httpKeytab);



Mime
View raw message