You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by ar...@apache.org on 2016/02/25 01:50:38 UTC
[25/31] hadoop git commit: HADOOP-12716.
KerberosAuthenticator#doSpnegoSequence use incorrect class to determine
isKeyTab in JDK8. Contributed by Xiaoyu Yao.
HADOOP-12716. KerberosAuthenticator#doSpnegoSequence use incorrect class to determine isKeyTab in JDK8. Contributed by Xiaoyu Yao.
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/d6b181c6
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/d6b181c6
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/d6b181c6
Branch: refs/heads/HDFS-1312
Commit: d6b181c6faa56e43c9f05d2cc860a0aeb940fd90
Parents: 9e0f7b8
Author: cnauroth <cn...@apache.org>
Authored: Wed Feb 24 13:55:39 2016 -0800
Committer: cnauroth <cn...@apache.org>
Committed: Wed Feb 24 13:55:39 2016 -0800
----------------------------------------------------------------------
.../client/KerberosAuthenticator.java | 6 ++---
.../authentication/util/KerberosUtil.java | 28 ++++++++++++++++++++
hadoop-common-project/hadoop-common/CHANGES.txt | 3 +++
.../hadoop/security/UserGroupInformation.java | 5 ++--
4 files changed, 35 insertions(+), 7 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hadoop/blob/d6b181c6/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
index e107810..0f046ae 100644
--- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
+++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
@@ -24,8 +24,6 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import javax.security.auth.Subject;
-import javax.security.auth.kerberos.KerberosKey;
-import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
@@ -272,8 +270,8 @@ public class KerberosAuthenticator implements Authenticator {
AccessControlContext context = AccessController.getContext();
Subject subject = Subject.getSubject(context);
if (subject == null
- || (subject.getPrivateCredentials(KerberosKey.class).isEmpty()
- && subject.getPrivateCredentials(KerberosTicket.class).isEmpty())) {
+ || (!KerberosUtil.hasKerberosKeyTab(subject)
+ && !KerberosUtil.hasKerberosTicket(subject))) {
LOG.debug("No subject in context, logging in");
subject = new Subject();
LoginContext login = new LoginContext("", subject,
http://git-wip-us.apache.org/repos/asf/hadoop/blob/d6b181c6/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosUtil.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosUtil.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosUtil.java
index 3d7b00d..fd257fc 100644
--- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosUtil.java
+++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosUtil.java
@@ -38,6 +38,10 @@ import org.apache.directory.server.kerberos.shared.keytab.KeytabEntry;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.Oid;
+import javax.security.auth.Subject;
+import javax.security.auth.kerberos.KerberosTicket;
+import javax.security.auth.kerberos.KeyTab;
+
public class KerberosUtil {
/* Return the Kerberos login module name */
@@ -227,4 +231,28 @@ public class KerberosUtil {
}
return principals;
}
+
+ /**
+ * Check if the subject contains Kerberos keytab related objects.
+ * The Kerberos keytab object attached in subject has been changed
+ * from KerberosKey (JDK 7) to KeyTab (JDK 8)
+ *
+ *
+ * @param subject subject to be checked
+ * @return true if the subject contains Kerberos keytab
+ */
+ public static boolean hasKerberosKeyTab(Subject subject) {
+ return !subject.getPrivateCredentials(KeyTab.class).isEmpty();
+ }
+
+ /**
+ * Check if the subject contains Kerberos ticket.
+ *
+ *
+ * @param subject subject to be checked
+ * @return true if the subject contains Kerberos ticket
+ */
+ public static boolean hasKerberosTicket(Subject subject) {
+ return !subject.getPrivateCredentials(KerberosTicket.class).isEmpty();
+ }
}
http://git-wip-us.apache.org/repos/asf/hadoop/blob/d6b181c6/hadoop-common-project/hadoop-common/CHANGES.txt
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index a1aa142..8fd61f0 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -1744,6 +1744,9 @@ Release 2.8.0 - UNRELEASED
HADOOP-12878. KMS SPNEGO sequence does not work with WEBHDFS. (xyao)
+ HADOOP-12716. KerberosAuthenticator#doSpnegoSequence use incorrect class to
+ determine isKeyTab in JDK8. (Xiaoyu Yao via cnauroth)
+
Release 2.7.3 - UNRELEASED
INCOMPATIBLE CHANGES
http://git-wip-us.apache.org/repos/asf/hadoop/blob/d6b181c6/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
index 047e645..a0f0c69 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
@@ -48,7 +48,6 @@ import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
-import javax.security.auth.kerberos.KeyTab;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
import javax.security.auth.login.LoginContext;
@@ -624,8 +623,8 @@ public class UserGroupInformation {
UserGroupInformation(Subject subject) {
this.subject = subject;
this.user = subject.getPrincipals(User.class).iterator().next();
- this.isKeytab = !subject.getPrivateCredentials(KeyTab.class).isEmpty();
- this.isKrbTkt = !subject.getPrivateCredentials(KerberosTicket.class).isEmpty();
+ this.isKeytab = KerberosUtil.hasKerberosKeyTab(subject);
+ this.isKrbTkt = KerberosUtil.hasKerberosTicket(subject);
}
/**