You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by aa...@apache.org on 2021/02/05 07:16:30 UTC
[hadoop] branch branch-3.3 updated: HADOOP-17432. [JDK 16]
KerberosUtil#getOidInstance is broken by JEP 396 (#2546)
This is an automated email from the ASF dual-hosted git repository.
aajisaka pushed a commit to branch branch-3.3
in repository https://gitbox.apache.org/repos/asf/hadoop.git
The following commit(s) were added to refs/heads/branch-3.3 by this push:
new bdd22b6 HADOOP-17432. [JDK 16] KerberosUtil#getOidInstance is broken by JEP 396 (#2546)
bdd22b6 is described below
commit bdd22b61c28c5128c1ad6c07b3ae7b425b961b8e
Author: Akira Ajisaka <aa...@apache.org>
AuthorDate: Fri Feb 5 16:14:10 2021 +0900
HADOOP-17432. [JDK 16] KerberosUtil#getOidInstance is broken by JEP 396 (#2546)
Reviewed-by: Steve Loughran <st...@apache.org>
(cherry picked from commit 52217fce3d2a553c8850b7a1886340ae5a092436)
---
.../security/authentication/util/KerberosUtil.java | 37 +++++++++++++---------
.../server/TestKerberosAuthenticationHandler.java | 5 ++-
.../apache/hadoop/yarn/service/utils/HttpUtil.java | 12 +++----
.../hadoop/yarn/client/util/YarnClientUtils.java | 10 ++----
4 files changed, 31 insertions(+), 33 deletions(-)
diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosUtil.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosUtil.java
index 4319aa5..95f0106 100644
--- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosUtil.java
+++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosUtil.java
@@ -22,7 +22,6 @@ import static org.apache.hadoop.util.PlatformName.IBM_JAVA;
import java.io.File;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
-import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.net.InetAddress;
import java.net.UnknownHostException;
@@ -73,21 +72,29 @@ public class KerberosUtil {
}
}
- public static Oid getOidInstance(String oidName)
- throws ClassNotFoundException, GSSException, NoSuchFieldException,
- IllegalAccessException {
- Class<?> oidClass;
- if (IBM_JAVA) {
- if ("NT_GSS_KRB5_PRINCIPAL".equals(oidName)) {
- // IBM JDK GSSUtil class does not have field for krb5 principal oid
- return new Oid("1.2.840.113554.1.2.2.1");
- }
- oidClass = Class.forName("com.ibm.security.jgss.GSSUtil");
- } else {
- oidClass = Class.forName("sun.security.jgss.GSSUtil");
+ /**
+ * Returns the Oid instance from string oidName.
+ * Use {@link GSS_SPNEGO_MECH_OID}, {@link GSS_KRB5_MECH_OID},
+ * or {@link NT_GSS_KRB5_PRINCIPAL_OID} instead.
+ *
+ * @return Oid instance
+ * @param oidName The oid Name
+ * @throws NoSuchFieldException if the input is not supported.
+ */
+ @Deprecated
+ public static Oid getOidInstance(String oidName)
+ throws NoSuchFieldException {
+ switch (oidName) {
+ case "GSS_SPNEGO_MECH_OID":
+ return GSS_SPNEGO_MECH_OID;
+ case "GSS_KRB5_MECH_OID":
+ return GSS_KRB5_MECH_OID;
+ case "NT_GSS_KRB5_PRINCIPAL":
+ return NT_GSS_KRB5_PRINCIPAL_OID;
+ default:
+ throw new NoSuchFieldException(
+ "oidName: " + oidName + " is not supported.");
}
- Field oidField = oidClass.getDeclaredField(oidName);
- return (Oid)oidField.get(oidClass);
}
/**
diff --git a/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestKerberosAuthenticationHandler.java b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestKerberosAuthenticationHandler.java
index 629b68b..f10371b 100644
--- a/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestKerberosAuthenticationHandler.java
+++ b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestKerberosAuthenticationHandler.java
@@ -301,11 +301,10 @@ public class TestKerberosAuthenticationHandler
GSSContext gssContext = null;
try {
String servicePrincipal = KerberosTestUtils.getServerPrincipal();
- Oid oid =
- KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL");
+ Oid oid = KerberosUtil.NT_GSS_KRB5_PRINCIPAL_OID;
GSSName serviceName = gssManager.createName(servicePrincipal,
oid);
- oid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID");
+ oid = KerberosUtil.GSS_KRB5_MECH_OID;
gssContext = gssManager.createContext(serviceName, oid, null,
GSSContext.DEFAULT_LIFETIME);
gssContext.requestCredDeleg(true);
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-core/src/main/java/org/apache/hadoop/yarn/service/utils/HttpUtil.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-core/src/main/java/org/apache/hadoop/yarn/service/utils/HttpUtil.java
index ac5c079..11190eb 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-core/src/main/java/org/apache/hadoop/yarn/service/utils/HttpUtil.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-core/src/main/java/org/apache/hadoop/yarn/service/utils/HttpUtil.java
@@ -30,12 +30,10 @@ import javax.ws.rs.core.MediaType;
import org.apache.commons.codec.binary.Base64;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.client.AuthenticationException;
-import org.apache.hadoop.security.authentication.util.KerberosUtil;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
-import org.ietf.jgss.Oid;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -72,8 +70,6 @@ public class HttpUtil {
@Override
public String run() throws Exception {
try {
- // This Oid for Kerberos GSS-API mechanism.
- Oid mechOid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID");
GSSManager manager = GSSManager.getInstance();
// GSS name for server
GSSName serverName = manager.createName("HTTP@" + server,
@@ -81,8 +77,9 @@ public class HttpUtil {
// Create a GSSContext for authentication with the service.
// We're passing client credentials as null since we want them to
// be read from the Subject.
+ // We're passing Oid as null to use the default.
GSSContext gssContext = manager.createContext(
- serverName.canonicalize(mechOid), mechOid, null,
+ serverName.canonicalize(null), null, null,
GSSContext.DEFAULT_LIFETIME);
gssContext.requestMutualAuth(true);
gssContext.requestCredDeleg(true);
@@ -95,9 +92,8 @@ public class HttpUtil {
LOG.debug("Got valid challenge for host {}", serverName);
return new String(BASE_64_CODEC.encode(outToken),
StandardCharsets.US_ASCII);
- } catch (GSSException | IllegalAccessException
- | NoSuchFieldException | ClassNotFoundException e) {
- LOG.error("Error: {}", e);
+ } catch (GSSException e) {
+ LOG.error("Error: ", e);
throw new AuthenticationException(e);
}
}
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/util/YarnClientUtils.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/util/YarnClientUtils.java
index 109e3c0..50a1a0b 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/util/YarnClientUtils.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/util/YarnClientUtils.java
@@ -31,7 +31,6 @@ import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.client.AuthenticationException;
-import org.apache.hadoop.security.authentication.util.KerberosUtil;
import org.apache.hadoop.yarn.api.records.NodeLabel;
import org.apache.hadoop.yarn.conf.HAUtil;
import org.apache.hadoop.yarn.conf.YarnConfiguration;
@@ -39,7 +38,6 @@ import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
-import org.ietf.jgss.Oid;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -222,8 +220,6 @@ public abstract class YarnClientUtils {
@Override
public String run() throws Exception {
try {
- // This Oid for Kerberos GSS-API mechanism.
- Oid mechOid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID");
GSSManager manager = GSSManager.getInstance();
// GSS name for server
GSSName serverName = manager.createName("HTTP@" + server,
@@ -231,8 +227,9 @@ public abstract class YarnClientUtils {
// Create a GSSContext for authentication with the service.
// We're passing client credentials as null since we want them to
// be read from the Subject.
+ // We're passing Oid as null to use the default.
GSSContext gssContext = manager.createContext(
- serverName.canonicalize(mechOid), mechOid, null,
+ serverName.canonicalize(null), null, null,
GSSContext.DEFAULT_LIFETIME);
gssContext.requestMutualAuth(true);
gssContext.requestCredDeleg(true);
@@ -245,8 +242,7 @@ public abstract class YarnClientUtils {
LOG.debug("Got valid challenge for host {}", serverName);
return new String(BASE_64_CODEC.encode(outToken),
StandardCharsets.US_ASCII);
- } catch (GSSException | IllegalAccessException
- | NoSuchFieldException | ClassNotFoundException e) {
+ } catch (GSSException e) {
LOG.error("Error: ", e);
throw new AuthenticationException(e);
}
---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org