You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Stephen Chu (JIRA)" <ji...@apache.org> on 2014/11/06 02:42:34 UTC

[jira] [Updated] (HADOOP-10786) Patch that fixes UGI#reloginFromKeytab on java 8

     [ https://issues.apache.org/jira/browse/HADOOP-10786?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Stephen Chu updated HADOOP-10786:
---------------------------------
    Attachment: HADOOP-10786.2.patch

We can use reflection to make this fix and still allow JDK6 to build and run.

I've attached a patch to do this, as well as added a unit test that will catch regressions. The unit test uses the MiniKDC and verifies login from keytab and relogin from keytab in addition to simply checking that isKeytab = true when it should be.

[~Tobi], thanks a lot for working on this. Let me know what you think about my suggestion and test. If you are too busy, I can also take this JIRA up.

> Patch that fixes UGI#reloginFromKeytab on java 8
> ------------------------------------------------
>
>                 Key: HADOOP-10786
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10786
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>            Reporter: Tobi Vollebregt
>            Assignee: Tobi Vollebregt
>            Priority: Minor
>         Attachments: HADOOP-10786.2.patch, HADOOP-10786.patch
>
>
> Krb5LoginModule changed subtly in java 8: in particular, if useKeyTab and storeKey are specified, then only a KeyTab object is added to the Subject's private credentials, whereas in java <= 7 both a KeyTab and some number of KerberosKey objects were added.
> The UGI constructor checks whether or not a keytab was used to login by looking if there are any KerberosKey objects in the Subject's private credentials. If there are, then isKeyTab is set to true, and otherwise it's set to false.
> Thus, in java 8 isKeyTab is always false given the current UGI implementation, which makes UGI#reloginFromKeytab fail silently.
> Attached patch will check for a KeyTab object on the Subject, instead of a KerberosKey object. This fixes relogins from kerberos keytabs on Oracle java 8, and works on Oracle java 7 as well.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)