hadoop-common-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cnaur...@apache.org
Subject [2/3] hadoop git commit: HADOOP-13081. add the ability to create multiple UGIs/subjects from one kerberos login. Contributed by Sergey Shelukhin.
Date Tue, 02 Aug 2016 19:49:02 GMT
HADOOP-13081. add the ability to create multiple UGIs/subjects from one kerberos login. Contributed
by Sergey Shelukhin.

(cherry picked from commit 0458a2af6e925d023882714e8b7b0568eca7a775)


Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/ec522a19
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/ec522a19
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/ec522a19

Branch: refs/heads/branch-2
Commit: ec522a19076314f309ef475a8fdf08ec840dafae
Parents: 7e21384
Author: Chris Nauroth <cnauroth@apache.org>
Authored: Tue Aug 2 12:43:30 2016 -0700
Committer: Chris Nauroth <cnauroth@apache.org>
Committed: Tue Aug 2 12:43:51 2016 -0700

----------------------------------------------------------------------
 .../hadoop/security/UserGroupInformation.java   | 29 +++++++++++++++++++-
 .../security/TestUserGroupInformation.java      | 27 ++++++++++++++++++
 2 files changed, 55 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hadoop/blob/ec522a19/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
index 5d8f1ec..370f92f 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
@@ -36,6 +36,7 @@ import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.Iterator;
 import java.util.LinkedHashSet;
 import java.util.List;
@@ -625,7 +626,33 @@ public class UserGroupInformation {
     this.isKeytab = KerberosUtil.hasKerberosKeyTab(subject);
     this.isKrbTkt = KerberosUtil.hasKerberosTicket(subject);
   }
-  
+
+  /**
+   * Copies the Subject of this UGI and creates a new UGI with the new subject.
+   * This can be used to add credentials (e.g. tokens) to different copies of
+   * the same UGI, allowing multiple users with different tokens to reuse the
+   * UGI without re-authenticating with Kerberos.
+   * @return clone of the UGI with a new subject.
+   */
+  @InterfaceAudience.Public
+  @InterfaceStability.Evolving
+  public UserGroupInformation copySubjectAndUgi() {
+    Subject subj = getSubject();
+    // The ctor will set other fields automatically from the principals.
+    return new UserGroupInformation(new Subject(false, subj.getPrincipals(),
+        cloneCredentials(subj.getPublicCredentials()),
+        cloneCredentials(subj.getPrivateCredentials())));
+  }
+
+  private static Set<Object> cloneCredentials(Set<Object> old) {
+    Set<Object> set = new HashSet<>();
+    // Make sure Hadoop credentials objects do not reuse the maps.
+    for (Object o : old) {
+      set.add(o instanceof Credentials ? new Credentials((Credentials)o) : o);
+    }
+    return set;
+  }
+
   /**
    * checks if logged in using kerberos
    * @return true if the subject logged via keytab or has a Kerberos TGT

http://git-wip-us.apache.org/repos/asf/hadoop/blob/ec522a19/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java
b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java
index ed407ad..838d431 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java
@@ -43,6 +43,7 @@ import java.security.PrivilegedExceptionAction;
 import java.util.Collection;
 import java.util.ConcurrentModificationException;
 import java.util.LinkedHashSet;
+import java.util.List;
 import java.util.Set;
 
 import static org.apache.hadoop.fs.CommonConfigurationKeys.HADOOP_USER_GROUP_METRICS_PERCENTILES_INTERVALS;
@@ -841,6 +842,32 @@ public class TestUserGroupInformation {
     assertEquals(1, tokens.size());
   }
 
+  @Test(timeout = 30000)
+  public void testCopySubjectAndUgi() throws IOException {
+    SecurityUtil.setAuthenticationMethod(AuthenticationMethod.SIMPLE, conf);
+    UserGroupInformation.setConfiguration(conf);
+    UserGroupInformation u1 = UserGroupInformation.getLoginUser();
+    assertNotNull(u1);
+    @SuppressWarnings("unchecked")
+    Token<? extends TokenIdentifier> tmpToken = mock(Token.class);
+    u1.addToken(tmpToken);
+
+    UserGroupInformation u2 = u1.copySubjectAndUgi();
+    assertEquals(u1.getAuthenticationMethod(), u2.getAuthenticationMethod());
+    assertNotSame(u1.getSubject(), u2.getSubject());
+    Credentials c1 = u1.getCredentials(), c2 = u2.getCredentials();
+    List<Text> sc1 = c1.getAllSecretKeys(), sc2 = c2.getAllSecretKeys();
+    assertArrayEquals(sc1.toArray(new Text[0]), sc2.toArray(new Text[0]));
+    Collection<Token<? extends TokenIdentifier>> ts1 = c1.getAllTokens(),
+        ts2 = c2.getAllTokens();
+    assertArrayEquals(ts1.toArray(new Token[0]), ts2.toArray(new Token[0]));
+    @SuppressWarnings("unchecked")
+    Token<? extends TokenIdentifier> token = mock(Token.class);
+    u2.addToken(token);
+    assertTrue(u2.getCredentials().getAllTokens().contains(token));
+    assertFalse(u1.getCredentials().getAllTokens().contains(token));
+  }
+
   /**
    * This test checks a race condition between getting and adding tokens for
    * the current user.  Calling UserGroupInformation.getCurrentUser() returns


---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org


Mime
View raw message