hadoop-common-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cnaur...@apache.org
Subject hadoop git commit: HADOOP-12716. KerberosAuthenticator#doSpnegoSequence use incorrect class to determine isKeyTab in JDK8. Contributed by Xiaoyu Yao.
Date Wed, 24 Feb 2016 22:14:47 GMT
Repository: hadoop
Updated Branches:
  refs/heads/branch-2 51162f962 -> 92e49cdd0


HADOOP-12716. KerberosAuthenticator#doSpnegoSequence use incorrect class to determine isKeyTab
in JDK8. Contributed by Xiaoyu Yao.

(cherry picked from commit d6b181c6faa56e43c9f05d2cc860a0aeb940fd90)


Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/92e49cdd
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/92e49cdd
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/92e49cdd

Branch: refs/heads/branch-2
Commit: 92e49cdd04824bbb6abfca343c1f4285ca7b5fd1
Parents: 51162f9
Author: cnauroth <cnauroth@apache.org>
Authored: Wed Feb 24 13:55:39 2016 -0800
Committer: Chris Nauroth <cnauroth@apache.org>
Committed: Wed Feb 24 14:05:55 2016 -0800

----------------------------------------------------------------------
 .../client/KerberosAuthenticator.java           |  6 ++---
 .../authentication/util/KerberosUtil.java       | 28 ++++++++++++++++++++
 hadoop-common-project/hadoop-common/CHANGES.txt |  3 +++
 .../hadoop/security/UserGroupInformation.java   |  5 ++--
 4 files changed, 35 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hadoop/blob/92e49cdd/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
index e107810..0f046ae 100644
--- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
+++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
@@ -24,8 +24,6 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import javax.security.auth.Subject;
-import javax.security.auth.kerberos.KerberosKey;
-import javax.security.auth.kerberos.KerberosTicket;
 import javax.security.auth.login.AppConfigurationEntry;
 import javax.security.auth.login.Configuration;
 import javax.security.auth.login.LoginContext;
@@ -272,8 +270,8 @@ public class KerberosAuthenticator implements Authenticator {
       AccessControlContext context = AccessController.getContext();
       Subject subject = Subject.getSubject(context);
       if (subject == null
-          || (subject.getPrivateCredentials(KerberosKey.class).isEmpty()
-              && subject.getPrivateCredentials(KerberosTicket.class).isEmpty()))
{
+          || (!KerberosUtil.hasKerberosKeyTab(subject)
+              && !KerberosUtil.hasKerberosTicket(subject))) {
         LOG.debug("No subject in context, logging in");
         subject = new Subject();
         LoginContext login = new LoginContext("", subject,

http://git-wip-us.apache.org/repos/asf/hadoop/blob/92e49cdd/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosUtil.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosUtil.java
b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosUtil.java
index fec7f01..17070e0 100644
--- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosUtil.java
+++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosUtil.java
@@ -38,6 +38,10 @@ import org.apache.directory.server.kerberos.shared.keytab.KeytabEntry;
 import org.ietf.jgss.GSSException;
 import org.ietf.jgss.Oid;
 
+import javax.security.auth.Subject;
+import javax.security.auth.kerberos.KerberosTicket;
+import javax.security.auth.kerberos.KeyTab;
+
 public class KerberosUtil {
 
   /* Return the Kerberos login module name */
@@ -227,4 +231,28 @@ public class KerberosUtil {
     }
     return principals;
   }
+
+  /**
+   * Check if the subject contains Kerberos keytab related objects.
+   * The Kerberos keytab object attached in subject has been changed
+   * from KerberosKey (JDK 7) to KeyTab (JDK 8)
+   *
+   *
+   * @param subject subject to be checked
+   * @return true if the subject contains Kerberos keytab
+   */
+  public static boolean hasKerberosKeyTab(Subject subject) {
+    return !subject.getPrivateCredentials(KeyTab.class).isEmpty();
+  }
+
+  /**
+   * Check if the subject contains Kerberos ticket.
+   *
+   *
+   * @param subject subject to be checked
+   * @return true if the subject contains Kerberos ticket
+   */
+  public static boolean hasKerberosTicket(Subject subject) {
+    return !subject.getPrivateCredentials(KerberosTicket.class).isEmpty();
+  }
 }

http://git-wip-us.apache.org/repos/asf/hadoop/blob/92e49cdd/hadoop-common-project/hadoop-common/CHANGES.txt
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index b16b5ce..a49458d 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -1102,6 +1102,9 @@ Release 2.8.0 - UNRELEASED
 
     HADOOP-12878. KMS SPNEGO sequence does not work with WEBHDFS. (xyao)
 
+    HADOOP-12716. KerberosAuthenticator#doSpnegoSequence use incorrect class to
+    determine isKeyTab in JDK8. (Xiaoyu Yao via cnauroth)
+
 Release 2.7.3 - UNRELEASED
 
   INCOMPATIBLE CHANGES

http://git-wip-us.apache.org/repos/asf/hadoop/blob/92e49cdd/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
index 2653c23..90d396f 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
@@ -45,7 +45,6 @@ import javax.security.auth.Subject;
 import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.kerberos.KerberosPrincipal;
 import javax.security.auth.kerberos.KerberosTicket;
-import javax.security.auth.kerberos.KeyTab;
 import javax.security.auth.login.AppConfigurationEntry;
 import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
 import javax.security.auth.login.LoginContext;
@@ -610,8 +609,8 @@ public class UserGroupInformation {
   UserGroupInformation(Subject subject) {
     this.subject = subject;
     this.user = subject.getPrincipals(User.class).iterator().next();
-    this.isKeytab = !subject.getPrivateCredentials(KeyTab.class).isEmpty();
-    this.isKrbTkt = !subject.getPrivateCredentials(KerberosTicket.class).isEmpty();
+    this.isKeytab = KerberosUtil.hasKerberosKeyTab(subject);
+    this.isKrbTkt = KerberosUtil.hasKerberosTicket(subject);
   }
   
   /**


Mime
View raw message