You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by om...@apache.org on 2011/03/04 04:45:02 UTC
svn commit: r1077138 - in
/hadoop/common/branches/branch-0.20-security-patches/src:
core/org/apache/hadoop/security/UserGroupInformation.java
test/org/apache/hadoop/security/TestUserGroupInformation.java
Author: omalley
Date: Fri Mar 4 03:45:01 2011
New Revision: 1077138
URL: http://svn.apache.org/viewvc?rev=1077138&view=rev
Log:
commit ab50124ad890fd340c6fe94095d53a4280a97aba
Author: Jitendra Nath Pandey <ji...@yahoo-inc.com>
Date: Sun Jan 31 22:53:34 2010 -0800
HADOOP-6517, HADOOP-6518 from https://issues.apache.org/jira/secure/attachment/12434368/HADOOP-6518-0_20.1.patch
+++ b/YAHOO-CHANGES.txt
+ HADOOP-6517, HADOOP-6518. Ability to add/get tokens from
+ UserGroupInformation & Kerberos login in UGI should honor KRB5CCNAME
+ (jitendra)
+
Modified:
hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/UserGroupInformation.java
hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/TestUserGroupInformation.java
Modified: hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/UserGroupInformation.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/UserGroupInformation.java?rev=1077138&r1=1077137&r2=1077138&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/UserGroupInformation.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/core/org/apache/hadoop/security/UserGroupInformation.java Fri Mar 4 03:45:01 2011
@@ -193,8 +193,6 @@ public class UserGroupInformation {
private static String keytabFile = null;
private final Subject subject;
- private final Set<Token<? extends TokenIdentifier>> tokens =
- new LinkedHashSet<Token<? extends TokenIdentifier>>();
private static final String OS_LOGIN_MODULE_NAME;
private static final Class<? extends Principal> OS_PRINCIPAL_CLASS;
@@ -235,6 +233,10 @@ public class UserGroupInformation {
static {
USER_KERBEROS_OPTIONS.put("doNotPrompt", "true");
USER_KERBEROS_OPTIONS.put("useTicketCache", "true");
+ String ticketCache = System.getenv("KRB5CCNAME");
+ if (ticketCache != null) {
+ USER_KERBEROS_OPTIONS.put("ticketCache", ticketCache);
+ }
}
private static final AppConfigurationEntry USER_KERBEROS_LOGIN =
new AppConfigurationEntry(Krb5LoginModule.class.getName(),
@@ -437,7 +439,7 @@ public class UserGroupInformation {
* @return true on successful add of new token
*/
public synchronized boolean addToken(Token<? extends TokenIdentifier> token) {
- return tokens.add(token);
+ return subject.getPrivateCredentials().add(token);
}
/**
@@ -445,8 +447,17 @@ public class UserGroupInformation {
*
* @return an unmodifiable collection of tokens associated with user
*/
- public synchronized Collection<Token<? extends TokenIdentifier>> getTokens() {
- return Collections.unmodifiableSet(tokens);
+ @SuppressWarnings("unchecked")
+ public synchronized <Ident extends TokenIdentifier>
+ Collection<Token<Ident>> getTokens() {
+ Set<Object> creds = subject.getPrivateCredentials();
+ List<Token<Ident>> result = new ArrayList<Token<Ident>>(creds.size());
+ for(Object o: creds) {
+ if (o instanceof Token) {
+ result.add((Token<Ident>) o);
+ }
+ }
+ return Collections.unmodifiableList(result);
}
/**
Modified: hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/TestUserGroupInformation.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/TestUserGroupInformation.java?rev=1077138&r1=1077137&r2=1077138&view=diff
==============================================================================
--- hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/TestUserGroupInformation.java (original)
+++ hadoop/common/branches/branch-0.20-security-patches/src/test/org/apache/hadoop/security/TestUserGroupInformation.java Fri Mar 4 03:45:01 2011
@@ -27,6 +27,7 @@ import static org.mockito.Mockito.mock;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
+import java.security.PrivilegedAction;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.Collection;
@@ -164,17 +165,17 @@ public class TestUserGroupInformation {
@SuppressWarnings("unchecked") // from Mockito mocks
@Test
- public void testUGITokens() {
+ public <T extends TokenIdentifier> void testUGITokens() throws Exception {
UserGroupInformation ugi =
UserGroupInformation.createUserForTesting("TheDoctor",
new String [] { "TheTARDIS"});
- Token t1 = mock(Token.class);
- Token t2 = mock(Token.class);
+ Token<T> t1 = mock(Token.class);
+ Token<T> t2 = mock(Token.class);
ugi.addToken(t1);
ugi.addToken(t2);
- Collection<Token<? extends TokenIdentifier>> z = ugi.getTokens();
+ Collection<Token<T>> z = ugi.getTokens();
assertTrue(z.contains(t1));
assertTrue(z.contains(t2));
assertEquals(2, z.size());
@@ -185,5 +186,15 @@ public class TestUserGroupInformation {
} catch(UnsupportedOperationException uoe) {
// Can't modify tokens
}
+
+ // ensure that the tokens are passed through doAs
+ Collection<Token<T>> otherSet =
+ ugi.doAs(new PrivilegedExceptionAction<Collection<Token<T>>>(){
+ public Collection<Token<T>> run() throws IOException {
+ return UserGroupInformation.getCurrentUser().getTokens();
+ }
+ });
+ assertTrue(otherSet.contains(t1));
+ assertTrue(otherSet.contains(t2));
}
}