You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by dr...@apache.org on 2016/09/13 08:29:33 UTC
[19/50] [abbrv] hadoop git commit: HADOOP-13558. UserGroupInformation
created from a Subject incorrectly tries to renew the Kerberos ticket.
Contributed by Xiao Chen.
HADOOP-13558. UserGroupInformation created from a Subject incorrectly tries to renew the Kerberos ticket. Contributed by Xiao Chen.
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/680be58a
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/680be58a
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/680be58a
Branch: refs/heads/HDFS-10285
Commit: 680be58aac03a9ffab6b07c8fde9602ddb9dc858
Parents: 5f23abf
Author: Xiao Chen <xi...@apache.org>
Authored: Tue Sep 6 20:25:26 2016 -0700
Committer: Xiao Chen <xi...@apache.org>
Committed: Tue Sep 6 20:54:17 2016 -0700
----------------------------------------------------------------------
.../hadoop/security/UserGroupInformation.java | 22 +++++++++++++++---
.../security/TestUserGroupInformation.java | 24 ++++++++++++++++++++
2 files changed, 43 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hadoop/blob/680be58a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
index fe6fbe4..ed3a9d0 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
@@ -632,9 +632,24 @@ public class UserGroupInformation {
* @param subject the user's subject
*/
UserGroupInformation(Subject subject) {
+ this(subject, false);
+ }
+
+ /**
+ * Create a UGI from the given subject.
+ * @param subject the subject
+ * @param externalKeyTab if the subject's keytab is managed by the user.
+ * Setting this to true will prevent UGI from attempting
+ * to login the keytab, or to renew it.
+ */
+ private UserGroupInformation(Subject subject, final boolean externalKeyTab) {
this.subject = subject;
this.user = subject.getPrincipals(User.class).iterator().next();
- this.isKeytab = KerberosUtil.hasKerberosKeyTab(subject);
+ if (externalKeyTab) {
+ this.isKeytab = false;
+ } else {
+ this.isKeytab = KerberosUtil.hasKerberosKeyTab(subject);
+ }
this.isKrbTkt = KerberosUtil.hasKerberosTicket(subject);
}
@@ -850,10 +865,11 @@ public class UserGroupInformation {
newLoginContext(authenticationMethod.getLoginAppName(),
subject, new HadoopConfiguration());
login.login();
- UserGroupInformation realUser = new UserGroupInformation(subject);
+ LOG.debug("Assuming keytab is managed externally since logged in from"
+ + " subject.");
+ UserGroupInformation realUser = new UserGroupInformation(subject, true);
realUser.setLogin(login);
realUser.setAuthenticationMethod(authenticationMethod);
- realUser = new UserGroupInformation(login.getSubject());
// If the HADOOP_PROXY_USER environment variable or property
// is specified, create a proxy user as the logged in user.
String proxyUser = System.getenv(HADOOP_PROXY_USER);
http://git-wip-us.apache.org/repos/asf/hadoop/blob/680be58a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java
index a306d35..e45d70d 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java
@@ -37,6 +37,7 @@ import org.junit.Test;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
+import javax.security.auth.kerberos.KeyTab;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.LoginContext;
@@ -1030,4 +1031,27 @@ public class TestUserGroupInformation {
assertTrue(credsugiTokens.contains(token1));
assertTrue(credsugiTokens.contains(token2));
}
+
+ @Test
+ public void testCheckTGTAfterLoginFromSubject() throws Exception {
+ // security on, default is remove default realm
+ SecurityUtil.setAuthenticationMethod(AuthenticationMethod.KERBEROS, conf);
+ UserGroupInformation.setConfiguration(conf);
+
+ // Login from a pre-set subject with a keytab
+ final Subject subject = new Subject();
+ KeyTab keytab = KeyTab.getInstance();
+ subject.getPrivateCredentials().add(keytab);
+ UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
+ ugi.doAs(new PrivilegedExceptionAction<Void>() {
+ @Override
+ public Void run() throws IOException {
+ UserGroupInformation.loginUserFromSubject(subject);
+ // this should not throw.
+ UserGroupInformation.getLoginUser().checkTGTAndReloginFromKeytab();
+ return null;
+ }
+ });
+
+ }
}
---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org