hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hadoop QA (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10786) Patch that fixes UGI#reloginFromKeytab on java 8
Date Sat, 05 Jul 2014 05:24:33 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14052800#comment-14052800
] 

Hadoop QA commented on HADOOP-10786:
------------------------------------

{color:red}-1 overall{color}.  Here are the results of testing the latest attachment 
  http://issues.apache.org/jira/secure/attachment/12654166/HADOOP-10786.patch
  against trunk revision .

    {color:green}+1 @author{color}.  The patch does not contain any @author tags.

    {color:red}-1 tests included{color}.  The patch doesn't appear to include any new or modified
tests.
                        Please justify why no new tests are needed for this patch.
                        Also please list what manual steps were performed to verify this patch.

    {color:red}-1 javac{color:red}.  The patch appears to cause the build to fail.

Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/4217//console

This message is automatically generated.

> Patch that fixes UGI#reloginFromKeytab on java 8
> ------------------------------------------------
>
>                 Key: HADOOP-10786
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10786
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>            Reporter: Tobi Vollebregt
>            Priority: Minor
>         Attachments: HADOOP-10786.patch
>
>
> Krb5LoginModule changed subtly in java 8: in particular, if useKeyTab and storeKey are
specified, then only a KeyTab object is added to the Subject's private credentials, whereas
in java <= 7 both a KeyTab and some number of KerberosKey objects was added.
> The UGI constructor checks whether or not a keytab was used to login by looking if there
are any KerberosKey objects in the Subject's private credentials. If there are, the isKeyTab
is set to true, and otherwise it's false.
> Thus, in java 8 isKeyTab is always false given the current UGI implementation, which
makes UGI#reloginFromKeytab fail silently.
> Attached patch will check for a KeyTab object on the Subject, instead of a KerberosKey
object. This fixes relogins from kerberos keytabs on Oracle java 8, and works on Oracle java
7 as well.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message