hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Purtell (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10786) Patch that fixes UGI#reloginFromKeytab on java 8
Date Wed, 17 Sep 2014 15:55:34 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14137440#comment-14137440
] 

Andrew Purtell commented on HADOOP-10786:
-----------------------------------------

Shouldn't this be a higher priority than 'Minor'? The end of public updates to Java 7 will
be April 2015. A silent failure to re-login from keytab after TGT expiry dooms any long running
process that wants to use secure RPC. Anyone who cares about security and about running the
best performing supported Java runtime shortly will be forced to locally patch their core
libraries. 

> Patch that fixes UGI#reloginFromKeytab on java 8
> ------------------------------------------------
>
>                 Key: HADOOP-10786
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10786
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>            Reporter: Tobi Vollebregt
>            Assignee: Tobi Vollebregt
>            Priority: Minor
>         Attachments: HADOOP-10786.patch
>
>
> Krb5LoginModule changed subtly in java 8: in particular, if useKeyTab and storeKey are
specified, then only a KeyTab object is added to the Subject's private credentials, whereas
in java <= 7 both a KeyTab and some number of KerberosKey objects were added.
> The UGI constructor checks whether or not a keytab was used to login by looking if there
are any KerberosKey objects in the Subject's private credentials. If there are, then isKeyTab
is set to true, and otherwise it's set to false.
> Thus, in java 8 isKeyTab is always false given the current UGI implementation, which
makes UGI#reloginFromKeytab fail silently.
> Attached patch will check for a KeyTab object on the Subject, instead of a KerberosKey
object. This fixes relogins from kerberos keytabs on Oracle java 8, and works on Oracle java
7 as well.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message