Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id B722D200B89 for ; Wed, 7 Sep 2016 06:10:59 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id B5E13160ACE; Wed, 7 Sep 2016 04:10:59 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 08EDC160AA9 for ; Wed, 7 Sep 2016 06:10:58 +0200 (CEST) Received: (qmail 79577 invoked by uid 500); 7 Sep 2016 04:10:58 -0000 Mailing-List: contact common-commits-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list common-commits@hadoop.apache.org Received: (qmail 79564 invoked by uid 99); 7 Sep 2016 04:10:58 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 07 Sep 2016 04:10:58 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 018E4E01C1; Wed, 7 Sep 2016 04:10:57 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: xiao@apache.org To: common-commits@hadoop.apache.org Message-Id: <8d6b3c28fc504b379eede03928e279f7@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: hadoop git commit: HADOOP-13558. UserGroupInformation created from a Subject incorrectly tries to renew the Kerberos ticket. Contributed by Xiao Chen. Date: Wed, 7 Sep 2016 04:10:58 +0000 (UTC) archived-at: Wed, 07 Sep 2016 04:10:59 -0000 Repository: hadoop Updated Branches: refs/heads/trunk 5f23abfa3 -> 680be58aa HADOOP-13558. UserGroupInformation created from a Subject incorrectly tries to renew the Kerberos ticket. Contributed by Xiao Chen. Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/680be58a Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/680be58a Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/680be58a Branch: refs/heads/trunk Commit: 680be58aac03a9ffab6b07c8fde9602ddb9dc858 Parents: 5f23abf Author: Xiao Chen Authored: Tue Sep 6 20:25:26 2016 -0700 Committer: Xiao Chen Committed: Tue Sep 6 20:54:17 2016 -0700 ---------------------------------------------------------------------- .../hadoop/security/UserGroupInformation.java | 22 +++++++++++++++--- .../security/TestUserGroupInformation.java | 24 ++++++++++++++++++++ 2 files changed, 43 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/680be58a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java index fe6fbe4..ed3a9d0 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java @@ -632,9 +632,24 @@ public class UserGroupInformation { * @param subject the user's subject */ UserGroupInformation(Subject subject) { + this(subject, false); + } + + /** + * Create a UGI from the given subject. + * @param subject the subject + * @param externalKeyTab if the subject's keytab is managed by the user. + * Setting this to true will prevent UGI from attempting + * to login the keytab, or to renew it. + */ + private UserGroupInformation(Subject subject, final boolean externalKeyTab) { this.subject = subject; this.user = subject.getPrincipals(User.class).iterator().next(); - this.isKeytab = KerberosUtil.hasKerberosKeyTab(subject); + if (externalKeyTab) { + this.isKeytab = false; + } else { + this.isKeytab = KerberosUtil.hasKerberosKeyTab(subject); + } this.isKrbTkt = KerberosUtil.hasKerberosTicket(subject); } @@ -850,10 +865,11 @@ public class UserGroupInformation { newLoginContext(authenticationMethod.getLoginAppName(), subject, new HadoopConfiguration()); login.login(); - UserGroupInformation realUser = new UserGroupInformation(subject); + LOG.debug("Assuming keytab is managed externally since logged in from" + + " subject."); + UserGroupInformation realUser = new UserGroupInformation(subject, true); realUser.setLogin(login); realUser.setAuthenticationMethod(authenticationMethod); - realUser = new UserGroupInformation(login.getSubject()); // If the HADOOP_PROXY_USER environment variable or property // is specified, create a proxy user as the logged in user. String proxyUser = System.getenv(HADOOP_PROXY_USER); http://git-wip-us.apache.org/repos/asf/hadoop/blob/680be58a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java index a306d35..e45d70d 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java @@ -37,6 +37,7 @@ import org.junit.Test; import javax.security.auth.Subject; import javax.security.auth.kerberos.KerberosPrincipal; +import javax.security.auth.kerberos.KeyTab; import javax.security.auth.login.AppConfigurationEntry; import javax.security.auth.login.LoginContext; @@ -1030,4 +1031,27 @@ public class TestUserGroupInformation { assertTrue(credsugiTokens.contains(token1)); assertTrue(credsugiTokens.contains(token2)); } + + @Test + public void testCheckTGTAfterLoginFromSubject() throws Exception { + // security on, default is remove default realm + SecurityUtil.setAuthenticationMethod(AuthenticationMethod.KERBEROS, conf); + UserGroupInformation.setConfiguration(conf); + + // Login from a pre-set subject with a keytab + final Subject subject = new Subject(); + KeyTab keytab = KeyTab.getInstance(); + subject.getPrivateCredentials().add(keytab); + UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); + ugi.doAs(new PrivilegedExceptionAction() { + @Override + public Void run() throws IOException { + UserGroupInformation.loginUserFromSubject(subject); + // this should not throw. + UserGroupInformation.getLoginUser().checkTGTAndReloginFromKeytab(); + return null; + } + }); + + } } --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org For additional commands, e-mail: common-commits-help@hadoop.apache.org