hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stephen Chu (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-10786) Patch that fixes UGI#reloginFromKeytab on java 8
Date Fri, 07 Nov 2014 02:34:35 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-10786?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Stephen Chu updated HADOOP-10786:
    Attachment: HADOOP-10786.3.patch

Performing the reflection in a static init block sounds like a good idea.

I can see how it'd be useful to extract the logic of login into a separate function and just
call it directly. I'd like to make sure to exercise as much of the reloginFromKeytab logic
as possible (aside from waiting for a renew window), though.

The test verifies isKeytab == true, which is good. However, if for some reason the way isKeytab
changes in reloginFromKeytab (or something else changes before actual login), it'd be good
to exercise this.

Attaching a patch that moves the reflection to a static block.

Also, I made some additional fixes:

* Fix the conditional logic when using shouldRenewImmediatelyForTests by moving the check
for null TGT ahead.
* Remove //return

> Patch that fixes UGI#reloginFromKeytab on java 8
> ------------------------------------------------
>                 Key: HADOOP-10786
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10786
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.6.0
>            Reporter: Tobi Vollebregt
>            Assignee: Stephen Chu
>         Attachments: HADOOP-10786.2.patch, HADOOP-10786.3.patch, HADOOP-10786.patch
> Krb5LoginModule changed subtly in java 8: in particular, if useKeyTab and storeKey are
specified, then only a KeyTab object is added to the Subject's private credentials, whereas
in java <= 7 both a KeyTab and some number of KerberosKey objects were added.
> The UGI constructor checks whether or not a keytab was used to login by looking if there
are any KerberosKey objects in the Subject's private credentials. If there are, then isKeyTab
is set to true, and otherwise it's set to false.
> Thus, in java 8 isKeyTab is always false given the current UGI implementation, which
makes UGI#reloginFromKeytab fail silently.
> Attached patch will check for a KeyTab object on the Subject, instead of a KerberosKey
object. This fixes relogins from kerberos keytabs on Oracle java 8, and works on Oracle java
7 as well.

This message was sent by Atlassian JIRA

View raw message