You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@storm.apache.org by ka...@apache.org on 2017/07/03 14:41:55 UTC
[37/40] storm git commit: [STORM-2563] Remove the workaround to
handle missing UGI.loginUserFromSubject
[STORM-2563] Remove the workaround to handle missing UGI.loginUserFromSubject
https://github.com/apache/storm/blob/master/storm-client/src/jvm/org/apache/storm/security/auth/kerberos/AutoTGT.java#L225
The "userCons.setAccessible(true)" invokes constructor of a package private class bypassing the Java access control checks
and raising red flags in our internal security scans.
The "loginUserFromSubject(Subject subject)" has been added to UGI (https://issues.apache.org/jira/browse/HADOOP-10164)
and available since Hadoop version 2.3 released over three years ago (http://hadoop.apache.org/releases.html).
I think the workaround is no longer required since the case will not happen when using hadoop-common versions >= 2.3
Project: http://git-wip-us.apache.org/repos/asf/storm/repo
Commit: http://git-wip-us.apache.org/repos/asf/storm/commit/588287a7
Tree: http://git-wip-us.apache.org/repos/asf/storm/tree/588287a7
Diff: http://git-wip-us.apache.org/repos/asf/storm/diff/588287a7
Branch: refs/heads/1.1.x-branch
Commit: 588287a7a7243b44cc1141682415fec3e1237b1c
Parents: 4e258ca
Author: Arun Mahadevan <ar...@apache.org>
Authored: Wed Jun 21 10:11:36 2017 +0530
Committer: Jungtaek Lim <ka...@gmail.com>
Committed: Thu Jun 29 17:00:27 2017 +0900
----------------------------------------------------------------------
.../storm/security/auth/kerberos/AutoTGT.java | 40 +-------------------
1 file changed, 2 insertions(+), 38 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/storm/blob/588287a7/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/AutoTGT.java
----------------------------------------------------------------------
diff --git a/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/AutoTGT.java b/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/AutoTGT.java
index c3f8560..d02c4e3 100644
--- a/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/AutoTGT.java
+++ b/storm-core/src/jvm/org/apache/storm/security/auth/kerberos/AutoTGT.java
@@ -188,44 +188,8 @@ public class AutoTGT implements IAutoCredentials, ICredentialsRenewer {
"in your jar");
return;
}
-
- try {
- Method login = ugi.getMethod("loginUserFromSubject", Subject.class);
- login.invoke(null, subject);
- } catch (NoSuchMethodException me) {
- //The version of Hadoop does not have the needed client changes.
- // So don't look now, but do something really ugly to work around it.
- // This is because we are reaching into the hidden bits of Hadoop security, and it works for now, but may stop at any point in time.
-
- //We are just trying to do the following
- // Configuration conf = new Configuration();
- // HadoopKerberosName.setConfiguration(conf);
- // subject.getPrincipals().add(new User(tgt.getClient().toString(), AuthenticationMethod.KERBEROS, null));
- String name = getTGT(subject).getClient().toString();
-
- LOG.warn("The Hadoop client does not have loginUserFromSubject, Trying to hack around it. This may not work...");
- Class<?> confClass = Class.forName("org.apache.hadoop.conf.Configuration");
- Constructor confCons = confClass.getConstructor();
- Object conf = confCons.newInstance();
- Class<?> hknClass = Class.forName("org.apache.hadoop.security.HadoopKerberosName");
- Method hknSetConf = hknClass.getMethod("setConfiguration",confClass);
- hknSetConf.invoke(null, conf);
-
- Class<?> authMethodClass = Class.forName("org.apache.hadoop.security.UserGroupInformation$AuthenticationMethod");
- Object kerbAuthMethod = null;
- for (Object authMethod : authMethodClass.getEnumConstants()) {
- if ("KERBEROS".equals(authMethod.toString())) {
- kerbAuthMethod = authMethod;
- break;
- }
- }
-
- Class<?> userClass = Class.forName("org.apache.hadoop.security.User");
- Constructor userCons = userClass.getConstructor(String.class, authMethodClass, LoginContext.class);
- userCons.setAccessible(true);
- Object user = userCons.newInstance(name, kerbAuthMethod, null);
- subject.getPrincipals().add((Principal)user);
- }
+ Method login = ugi.getMethod("loginUserFromSubject", Subject.class);
+ login.invoke(null, subject);
} catch (Exception e) {
LOG.warn("Something went wrong while trying to initialize Hadoop through reflection. This version of hadoop may not be compatible.", e);
}