hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steve Loughran (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10786) Fix UGI#reloginFromKeytab on Java 8
Date Wed, 07 Mar 2018 14:34:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16389630#comment-16389630

Steve Loughran commented on HADOOP-10786:

Looks like it's in branch-2.7
> git log --grep HADOOP-10786 branch-2.7
commit 8f4a09b6076de9fbd6cd8ccaddf72ba9c94429ff
Author: Vinayakumar B <vinayakumarb@apache.org>
Date:   Fri Aug 14 12:23:51 2015 +0530

    HADOOP-10786. Fix UGI#reloginFromKeytab on Java 8. Contributed by Stephen Chu.
    Moved CHANGES.txt entry to 2.6.1
    (cherry picked from commit e7aa81394dce61cc96d480e21204263a5f2ed153)

The code has moved on a lot since that patch went in, which is why there's no match. 

> Fix UGI#reloginFromKeytab on Java 8
> -----------------------------------
>                 Key: HADOOP-10786
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10786
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.6.0
>            Reporter: Tobi Vollebregt
>            Assignee: Stephen Chu
>            Priority: Major
>              Labels: 2.6.1-candidate
>             Fix For: 2.6.1, 2.7.0, 3.0.0-alpha1
>         Attachments: HADOOP-10786.2.patch, HADOOP-10786.3.patch, HADOOP-10786.3.patch,
HADOOP-10786.4.patch, HADOOP-10786.5.patch, HADOOP-10786.patch
> Krb5LoginModule changed subtly in java 8: in particular, if useKeyTab and storeKey are
specified, then only a KeyTab object is added to the Subject's private credentials, whereas
in java <= 7 both a KeyTab and some number of KerberosKey objects were added.
> The UGI constructor checks whether or not a keytab was used to login by looking if there
are any KerberosKey objects in the Subject's private credentials. If there are, then isKeyTab
is set to true, and otherwise it's set to false.
> Thus, in java 8 isKeyTab is always false given the current UGI implementation, which
makes UGI#reloginFromKeytab fail silently.
> Attached patch will check for a KeyTab object on the Subject, instead of a KerberosKey
object. This fixes relogins from kerberos keytabs on Oracle java 8, and works on Oracle java
7 as well.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org

View raw message