hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tobi Vollebregt (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HADOOP-10786) Patch that fixes UGI#reloginFromKeytab on java 8
Date Sat, 05 Jul 2014 05:04:33 GMT
Tobi Vollebregt created HADOOP-10786:

             Summary: Patch that fixes UGI#reloginFromKeytab on java 8
                 Key: HADOOP-10786
                 URL: https://issues.apache.org/jira/browse/HADOOP-10786
             Project: Hadoop Common
          Issue Type: Bug
          Components: security
            Reporter: Tobi Vollebregt
            Priority: Minor

Krb5LoginModule changed subtly in java 8: in particular, if useKeyTab and storeKey are specified,
then only a KeyTab object is added to the Subject's private credentials, whereas in java <=
7 both a KeyTab and some number of KerberosKey objects was added.

The UGI constructor checks whether or not a keytab was used to login by looking if there are
any KerberosKey objects in the Subject's private credentials. If there are, the isKeyTab is
set to true, and otherwise it's false.

Thus, in java 8 isKeyTab is always false given the current UGI implementation, which makes
UGI#reloginFromKeytab fail silently.

Attached patch will check for a KeyTab object on the Subject, instead of a KerberosKey object.
This fixes relogins from kerberos keytabs on Oracle java 8, and works on Oracle java 7 as

This message was sent by Atlassian JIRA

View raw message