You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by om...@apache.org on 2011/03/04 05:17:49 UTC
svn commit: r1077465 - in
/hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop:
ipc/Client.java security/UserGroupInformation.java
Author: omalley
Date: Fri Mar 4 04:17:49 2011
New Revision: 1077465
URL: http://svn.apache.org/viewvc?rev=1077465&view=rev
Log:
commit 652fe6f04263a70084a7595c3af47d4f610c5569
Author: Boris Shkolnik <bo...@yahoo-inc.com>
Date: Fri May 14 17:35:40 2010 -0700
HADOOP:6706 from https://issues.apache.org/jira/secure/attachment/12444549/HADOOP-6706-BP20-fix3.patch
+++ b/YAHOO-CHANGES.txt
+ HADOOP-6706.FIX. Relogin behavior for RPC clients could be improved
+ (boryas)
+
Modified:
hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/ipc/Client.java
hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/UserGroupInformation.java
Modified: hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/ipc/Client.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/ipc/Client.java?rev=1077465&r1=1077464&r2=1077465&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/ipc/Client.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/ipc/Client.java Fri Mar 4 04:17:49 2011
@@ -358,9 +358,13 @@ public class Client {
UserGroupInformation.getCurrentUser();
UserGroupInformation realUser = currentUser.getRealUser();
if (authMethod == AuthMethod.KERBEROS &&
+ loginUser != null &&
+ //Make sure user logged in using Kerberos either keytab or TGT
+ loginUser.hasKerberosCredentials() &&
// relogin only in case it is the login user (e.g. JT)
- // or superuser (like oozie).
- (currentUser.equals(loginUser) || loginUser.equals(realUser))) {
+ // or superuser (like oozie).
+ (loginUser.equals(currentUser) || loginUser.equals(realUser))
+ ) {
return true;
}
return false;
Modified: hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/UserGroupInformation.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/UserGroupInformation.java?rev=1077465&r1=1077464&r2=1077465&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/UserGroupInformation.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/UserGroupInformation.java Fri Mar 4 04:17:49 2011
@@ -269,6 +269,7 @@ public class UserGroupInformation {
// All non-static fields must be read-only caches that come from the subject.
private final User user;
private final boolean isKeytab;
+ private final boolean isKrbTkt;
private static final String OS_LOGIN_MODULE_NAME;
private static final Class<? extends Principal> OS_PRINCIPAL_CLASS;
@@ -410,6 +411,15 @@ public class UserGroupInformation {
this.subject = subject;
this.user = subject.getPrincipals(User.class).iterator().next();
this.isKeytab = !subject.getPrivateCredentials(KerberosKey.class).isEmpty();
+ this.isKrbTkt = !subject.getPrivateCredentials(KerberosTicket.class).isEmpty();
+ }
+
+ /**
+ * checks if logged in using kerberos
+ * @return true if the subject logged via keytab or has a Kerberos TGT
+ */
+ public boolean hasKerberosCredentials() {
+ return isKeytab || isKrbTkt;
}
/**
@@ -598,7 +608,7 @@ public class UserGroupInformation {
throws IOException {
if (!isSecurityEnabled() ||
user.getAuthenticationMethod() != AuthenticationMethod.KERBEROS ||
- isKeytab)
+ !isKrbTkt)
return;
LoginContext login = getLogin();
if (login == null) {