You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "Yang Jie (Jira)" <ji...@apache.org> on 2023/10/10 09:30:00 UTC
[jira] [Updated] (SPARK-45482) Handle the usage of AccessControlContext and AccessController.
[ https://issues.apache.org/jira/browse/SPARK-45482?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Yang Jie updated SPARK-45482:
-----------------------------
Summary: Handle the usage of AccessControlContext and AccessController. (was: Clean up the usage of `AccessControlContext` and `AccessController`)
> Handle the usage of AccessControlContext and AccessController.
> --------------------------------------------------------------
>
> Key: SPARK-45482
> URL: https://issues.apache.org/jira/browse/SPARK-45482
> Project: Spark
> Issue Type: Sub-task
> Components: Spark Core, SQL
> Affects Versions: 4.0.0
> Reporter: Yang Jie
> Priority: Minor
>
>
>
> {code:java}
> * @deprecated This class is only useful in conjunction with
> * {@linkplain SecurityManager the Security Manager}, which is deprecated
> * and subject to removal in a future release. Consequently, this class
> * is also deprecated and subject to removal. There is no replacement for
> * the Security Manager or this class.
> */
> @Deprecated(since="17", forRemoval=true)
> public final class AccessController {
> * @deprecated This class is only useful in conjunction with
> * {@linkplain SecurityManager the Security Manager}, which is deprecated
> * and subject to removal in a future release. Consequently, this class
> * is also deprecated and subject to removal. There is no replacement for
> * the Security Manager or this class.
> */
> @Deprecated(since="17", forRemoval=true)
> public final class AccessControlContext { {code}
>
>
> `AccessControlContext` and `AccessController` are marked as deprecated in Java 17, with `forRemoval` set to true. From the Javadoc, it can be seen that they do not have corresponding replacements.
>
> In Spark, there are three files that use AccessControlContext or AccessController:
> 1.[https://github.com/apache/spark/blob/39cc4abaff73cb49f9d79d1d844fe5c9fa14c917/core/src/main/scala/org/apache/spark/serializer/SerializationDebugger.scala#L70-L73]
> {code:java}
> private[serializer] var enableDebugging: Boolean = {
> !AccessController.doPrivileged(new sun.security.action.GetBooleanAction(
> "sun.io.serialization.extendedDebugInfo")).booleanValue()
> } {code}
>
> 2. [https://github.com/apache/spark/blob/39cc4abaff73cb49f9d79d1d844fe5c9fa14c917/sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/TSubjectAssumingTransport.java#L42-L45]
>
> {code:java}
> public void open() throws TTransportException {
> try {
> AccessControlContext context = AccessController.getContext();
> Subject subject = Subject.getSubject(context);
> Subject.doAs(subject, (PrivilegedExceptionAction<Void>) () -> {
> try {
> wrapped.open();
> } catch (TTransportException tte) {
> // Wrap the transport exception in an RTE, since Subject.doAs() then goes
> // and unwraps this for us out of the doAs block. We then unwrap one
> // more time in our catch clause to get back the TTE. (ugh)
> throw new RuntimeException(tte);
> }
> return null;
> });
> } catch (PrivilegedActionException ioe) {
> throw new RuntimeException("Received an ioe we never threw!", ioe);
> } catch (RuntimeException rte) {
> if (rte.getCause() instanceof TTransportException) {
> throw (TTransportException) rte.getCause();
> } else {
> throw rte;
> }
> }
> } {code}
>
> 3. [https://github.com/apache/spark/blob/39cc4abaff73cb49f9d79d1d844fe5c9fa14c917/sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/HttpAuthUtils.java#L73]
>
> {code:java}
> public static String getKerberosServiceTicket(String principal, String host,
> String serverHttpUrl, boolean assumeSubject) throws Exception {
> String serverPrincipal =
> ShimLoader.getHadoopThriftAuthBridge().getServerPrincipal(principal, host);
> if (assumeSubject) {
> // With this option, we're assuming that the external application,
> // using the JDBC driver has done a JAAS kerberos login already
> AccessControlContext context = AccessController.getContext();
> Subject subject = Subject.getSubject(context);
> if (subject == null) {
> throw new Exception("The Subject is not set");
> }
> return Subject.doAs(subject, new HttpKerberosClientAction(serverPrincipal, serverHttpUrl));
> } else {
> // JAAS login from ticket cache to setup the client UserGroupInformation
> UserGroupInformation clientUGI =
> ShimLoader.getHadoopThriftAuthBridge().getCurrentUGIWithConf("kerberos");
> return clientUGI.doAs(new HttpKerberosClientAction(serverPrincipal, serverHttpUrl));
> }
> } {code}
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org