[37/40] storm git commit: [STORM-2563] Remove the workaround to handle missing UGI.loginUserFromSubject

[ka...@apache.org]

[STORM-2563] Remove the workaround to handle missing UGI.loginUserFromSubject

https://github.com/apache/storm/blob/master/storm-client/src/jvm/org/apache/storm/security/auth/kerberos/AutoTGT.java#L225

The "userCons.setAccessible(true)" invokes constructor of a package private class bypassing the Java access control checks
and raising red flags in our internal security scans.

The "loginUserFromSubject(Subject subject)" has been added to UGI (https://issues.apache.org/jira/browse/HADOOP-10164)
and available since Hadoop version 2.3 released over three years ago (http://hadoop.apache.org/releases.html).

I think the workaround is no longer required since the case will not happen when using hadoop-common versions >= 2.3


Project: http://git-wip-us.apache.org/repos/asf/storm/repo
Commit: http://git-wip-us.apache.org/repos/asf/storm/commit/588287a7
Tree: http://git-wip-us.apache.org/repos/asf/storm/tree/588287a7
Diff: http://git-wip-us.apache.org/repos/asf/storm/diff/588287a7

Branch: refs/heads/1.1.x-branch
Commit: 588287a7a7243b44cc1141682415fec3e1237b1c
Parents: 4e258ca
Author: Arun Mahadevan <ar...@apache.org>
Authored: Wed Jun 21 10:11:36 2017 +0530
Committer: Jungtaek Lim <ka...@gmail.com>
Committed: Thu Jun 29 17:00:27 2017 +0900

----------------------------------------------------------------------
 .../storm/security/auth/kerberos/AutoTGT.java   | 40 +-------------------
 1 file changed, 2 insertions(+), 38 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/storm/blob/588287a7/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/AutoTGT.java
----------------------------------------------------------------------
diff --git a/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/AutoTGT.java b/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/AutoTGT.java
index c3f8560..d02c4e3 100644
--- a/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/AutoTGT.java
+++ b/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/AutoTGT.java
@@ -188,44 +188,8 @@ public class AutoTGT implements IAutoCredentials, ICredentialsRenewer {
                   "in your jar");
                 return;
             }
- 
-            try {
-                Method login = ugi.getMethod("loginUserFromSubject", Subject.class);
-                login.invoke(null, subject);
-            } catch (NoSuchMethodException me) {
-                //The version of Hadoop does not have the needed client changes.
-                // So don't look now, but do something really ugly to work around it.
-                // This is because we are reaching into the hidden bits of Hadoop security, and it works for now, but may stop at any point in time.
-
-                //We are just trying to do the following
-                // Configuration conf = new Configuration();
-                // HadoopKerberosName.setConfiguration(conf);
-                // subject.getPrincipals().add(new User(tgt.getClient().toString(), AuthenticationMethod.KERBEROS, null));
-                String name = getTGT(subject).getClient().toString();
-
-                LOG.warn("The Hadoop client does not have loginUserFromSubject, Trying to hack around it. This may not work...");
-                Class<?> confClass = Class.forName("org.apache.hadoop.conf.Configuration");
-                Constructor confCons = confClass.getConstructor();
-                Object conf = confCons.newInstance();
-                Class<?> hknClass = Class.forName("org.apache.hadoop.security.HadoopKerberosName");
-                Method hknSetConf = hknClass.getMethod("setConfiguration",confClass);
-                hknSetConf.invoke(null, conf);
-
-                Class<?> authMethodClass = Class.forName("org.apache.hadoop.security.UserGroupInformation$AuthenticationMethod");
-                Object kerbAuthMethod = null;
-                for (Object authMethod : authMethodClass.getEnumConstants()) {
-                    if ("KERBEROS".equals(authMethod.toString())) {
-                        kerbAuthMethod = authMethod;
-                        break;
-                    }
-                }
-
-                Class<?> userClass = Class.forName("org.apache.hadoop.security.User");
-                Constructor userCons = userClass.getConstructor(String.class, authMethodClass, LoginContext.class);
-                userCons.setAccessible(true);
-                Object user = userCons.newInstance(name, kerbAuthMethod, null);
-                subject.getPrincipals().add((Principal)user);
-            }
+            Method login = ugi.getMethod("loginUserFromSubject", Subject.class);
+            login.invoke(null, subject);
         } catch (Exception e) {
             LOG.warn("Something went wrong while trying to initialize Hadoop through reflection. This version of hadoop may not be compatible.", e);
         }