Return-Path: X-Original-To: apmail-hadoop-common-commits-archive@www.apache.org Delivered-To: apmail-hadoop-common-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 089B511074 for ; Mon, 12 May 2014 19:21:24 +0000 (UTC) Received: (qmail 33887 invoked by uid 500); 12 May 2014 19:14:44 -0000 Delivered-To: apmail-hadoop-common-commits-archive@hadoop.apache.org Received: (qmail 33818 invoked by uid 500); 12 May 2014 19:14:44 -0000 Mailing-List: contact common-commits-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: common-dev@hadoop.apache.org Delivered-To: mailing list common-commits@hadoop.apache.org Received: (qmail 33811 invoked by uid 99); 12 May 2014 19:14:44 -0000 Received: from Unknown (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 12 May 2014 19:14:44 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 12 May 2014 19:14:43 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 275B1238889B; Mon, 12 May 2014 19:14:19 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1594058 - in /hadoop/common/branches/branch-2.4/hadoop-common-project: hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/ hadoop-common/src/main/java/org/apache/hadoop/http/ Date: Mon, 12 May 2014 19:14:19 -0000 To: common-commits@hadoop.apache.org From: kihwal@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20140512191419.275B1238889B@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: kihwal Date: Mon May 12 19:14:18 2014 New Revision: 1594058 URL: http://svn.apache.org/r1594058 Log: Fixing a prev merge/commit error Modified: hadoop/common/branches/branch-2.4/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java hadoop/common/branches/branch-2.4/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer.java Modified: hadoop/common/branches/branch-2.4/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2.4/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java?rev=1594058&r1=1594057&r2=1594058&view=diff ============================================================================== --- hadoop/common/branches/branch-2.4/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java (original) +++ hadoop/common/branches/branch-2.4/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java Mon May 12 19:14:18 2014 @@ -26,6 +26,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import javax.security.auth.Subject; +import javax.security.auth.kerberos.KerberosPrincipal; import javax.security.auth.login.AppConfigurationEntry; import javax.security.auth.login.Configuration; import javax.security.auth.login.LoginContext; @@ -35,9 +36,11 @@ import javax.servlet.http.HttpServletReq import javax.servlet.http.HttpServletResponse; import java.io.File; import java.io.IOException; +import java.security.Principal; import java.security.PrivilegedActionException; import java.security.PrivilegedExceptionAction; import java.util.HashMap; +import java.util.HashSet; import java.util.Map; import java.util.Properties; import java.util.Set; @@ -140,7 +143,7 @@ public class KerberosAuthenticationHandl private String principal; private String keytab; private GSSManager gssManager; - private Subject serverSubject = new Subject(); + private LoginContext loginContext; /** * Initializes the authentication handler instance. @@ -173,20 +176,17 @@ public class KerberosAuthenticationHandl KerberosName.setRules(nameRules); } + Set principals = new HashSet(); + principals.add(new KerberosPrincipal(principal)); + Subject subject = new Subject(false, principals, new HashSet(), new HashSet()); + + KerberosConfiguration kerberosConfiguration = new KerberosConfiguration(keytab, principal); + LOG.info("Login using keytab "+keytab+", for principal "+principal); - for (String servicePrincipal : principal.split(",")) { - final KerberosConfiguration kerberosConfiguration = - new KerberosConfiguration(keytab, servicePrincipal); - final LoginContext loginContext = - new LoginContext("", serverSubject, null, kerberosConfiguration); - try { - loginContext.login(); - } catch (LoginException le) { - LOG.warn("Failed to login as [{}]", servicePrincipal, le); - throw new AuthenticationException(le); - } - serverSubject.getPrivateCredentials().add(loginContext); - } + loginContext = new LoginContext("", subject, null, kerberosConfiguration); + loginContext.login(); + + Subject serverSubject = loginContext.getSubject(); try { gssManager = Subject.doAs(serverSubject, new PrivilegedExceptionAction() { @@ -211,17 +211,13 @@ public class KerberosAuthenticationHandl */ @Override public void destroy() { - if (serverSubject != null) { - final Set logins = - serverSubject.getPrivateCredentials(LoginContext.class); - for (LoginContext login : logins) { - try { - login.logout(); - } catch (LoginException ex) { - LOG.warn(ex.getMessage(), ex); - } + try { + if (loginContext != null) { + loginContext.logout(); + loginContext = null; } - serverSubject = null; + } catch (LoginException ex) { + LOG.warn(ex.getMessage(), ex); } } @@ -308,7 +304,7 @@ public class KerberosAuthenticationHandl authorization = authorization.substring(KerberosAuthenticator.NEGOTIATE.length()).trim(); final Base64 base64 = new Base64(0); final byte[] clientToken = base64.decode(authorization); - final String serverName = request.getServerName(); + Subject serverSubject = loginContext.getSubject(); try { token = Subject.doAs(serverSubject, new PrivilegedExceptionAction() { @@ -318,15 +314,15 @@ public class KerberosAuthenticationHandl GSSContext gssContext = null; GSSCredential gssCreds = null; try { - gssCreds = gssManager.createCredential( - gssManager.createName( - KerberosUtil.getServicePrincipal("HTTP", serverName), - KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL")), - GSSCredential.INDEFINITE_LIFETIME, - new Oid[]{ - KerberosUtil.getOidInstance("GSS_SPNEGO_MECH_OID"), - KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID")}, - GSSCredential.ACCEPT_ONLY); + if (IBM_JAVA) { + // IBM JDK needs non-null credentials to be passed to createContext here, with + // SPNEGO mechanism specified, otherwise JGSS will use its default mechanism + // only, which is Kerberos V5. + gssCreds = gssManager.createCredential(null, GSSCredential.INDEFINITE_LIFETIME, + new Oid[]{KerberosUtil.getOidInstance("GSS_SPNEGO_MECH_OID"), + KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID")}, + GSSCredential.ACCEPT_ONLY); + } gssContext = gssManager.createContext(gssCreds); byte[] serverToken = gssContext.acceptSecContext(clientToken, 0, clientToken.length); if (serverToken != null && serverToken.length > 0) { Modified: hadoop/common/branches/branch-2.4/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2.4/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer.java?rev=1594058&r1=1594057&r2=1594058&view=diff ============================================================================== --- hadoop/common/branches/branch-2.4/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer.java (original) +++ hadoop/common/branches/branch-2.4/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer.java Mon May 12 19:14:18 2014 @@ -62,7 +62,6 @@ import org.apache.hadoop.security.author import org.apache.hadoop.security.ssl.SSLFactory; import org.apache.hadoop.util.ReflectionUtils; import org.apache.hadoop.util.Shell; -import org.apache.hadoop.util.StringUtils; import org.mortbay.io.Buffer; import org.mortbay.jetty.Connector; import org.mortbay.jetty.Handler; @@ -671,16 +670,11 @@ public class HttpServer implements Filte protected void initSpnego(Configuration conf, String usernameConfKey, String keytabConfKey) throws IOException { Map params = new HashMap(); - String[] principalsInConf = conf.getStrings(usernameConfKey); - if (principalsInConf != null && principalsInConf.length != 0) { - for (int i=0; i < principalsInConf.length; i++) { - principalsInConf[i] = - SecurityUtil.getServerPrincipal(principalsInConf[i], listener.getHost()); - } + String principalInConf = conf.get(usernameConfKey); + if (principalInConf != null && !principalInConf.isEmpty()) { params.put("kerberos.principal", - StringUtils.join(",", principalsInConf)); + SecurityUtil.getServerPrincipal(principalInConf, listener.getHost())); } - String httpKeytab = conf.get(keytabConfKey); if (httpKeytab != null && !httpKeytab.isEmpty()) { params.put("kerberos.keytab", httpKeytab);