You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@storm.apache.org by "Jungtaek Lim (JIRA)" <ji...@apache.org> on 2017/06/22 06:47:00 UTC
[jira] [Resolved] (STORM-2563) Remove the workaround to handle
missing UGI.loginUserFromSubject
[ https://issues.apache.org/jira/browse/STORM-2563?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jungtaek Lim resolved STORM-2563.
---------------------------------
Resolution: Fixed
Fix Version/s: 1.1.1
2.0.0
Thanks [~arunmahadevan], I merged into master and 1.x branch.
> Remove the workaround to handle missing UGI.loginUserFromSubject
> ----------------------------------------------------------------
>
> Key: STORM-2563
> URL: https://issues.apache.org/jira/browse/STORM-2563
> Project: Apache Storm
> Issue Type: Bug
> Reporter: Arun Mahadevan
> Assignee: Arun Mahadevan
> Fix For: 2.0.0, 1.1.1
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> https://github.com/apache/storm/blob/master/storm-client/src/jvm/org/apache/storm/security/auth/kerberos/AutoTGT.java#L225
> The "userCons.setAccessible(true)" invokes constructor of a package private class bypassing the Java access control checks and raising red flags in our internal security scans.
> The "loginUserFromSubject(Subject subject)" has been added to UGI (https://issues.apache.org/jira/browse/HADOOP-10164) and available since Hadoop version 2.3 released over three years ago (http://hadoop.apache.org/releases.html).
>
> I think the workaround is no longer required since the case will not happen when using hadoop-common versions >= 2.3
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)