You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Aaron T. Myers (JIRA)" <ji...@apache.org> on 2014/11/07 04:16:34 UTC
[jira] [Comment Edited] (HADOOP-10786) Patch that fixes
UGI#reloginFromKeytab on java 8
[ https://issues.apache.org/jira/browse/HADOOP-10786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14201383#comment-14201383 ]
Aaron T. Myers edited comment on HADOOP-10786 at 11/7/14 3:15 AM:
------------------------------------------------------------------
bq. forName is fairly slow. Since the patch is targeting 2.7 which only supports JDK7, the code should be able to use the class in compile time, though we'll need to wait until jenkins to be switched to Java 7 before this patch can land.
I'd like to commit this for 2.6, though, which will still be targeting Java 6. How about we create a constant {{KEY_TAB_CLASS}} and then do the reflection in a static initialization block? That way we only pay the lookup penalty once per JVM and the patch still works with both version of Java.
was (Author: atm):
bq. forName is fairly slow. Since the patch is targeting 2.7 which only supports JDK7, the code should be able to use the class in compile time, though we'll need to wait until jenkins to be switched to Java 7 before this patch can land.
I'd like to commit this for 2.6, though, which will still be targeting Java 6. How about we create a constant {{KEY_TAB_CLASS}} and then do the reflection in a static initialization block? That way we won't pay the lookup penalty once per JVM and the patch still works with both version of Java.
> Patch that fixes UGI#reloginFromKeytab on java 8
> ------------------------------------------------
>
> Key: HADOOP-10786
> URL: https://issues.apache.org/jira/browse/HADOOP-10786
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.6.0
> Reporter: Tobi Vollebregt
> Assignee: Stephen Chu
> Attachments: HADOOP-10786.2.patch, HADOOP-10786.3.patch, HADOOP-10786.patch
>
>
> Krb5LoginModule changed subtly in java 8: in particular, if useKeyTab and storeKey are specified, then only a KeyTab object is added to the Subject's private credentials, whereas in java <= 7 both a KeyTab and some number of KerberosKey objects were added.
> The UGI constructor checks whether or not a keytab was used to login by looking if there are any KerberosKey objects in the Subject's private credentials. If there are, then isKeyTab is set to true, and otherwise it's set to false.
> Thus, in java 8 isKeyTab is always false given the current UGI implementation, which makes UGI#reloginFromKeytab fail silently.
> Attached patch will check for a KeyTab object on the Subject, instead of a KerberosKey object. This fixes relogins from kerberos keytabs on Oracle java 8, and works on Oracle java 7 as well.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)