You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by pr...@apache.org on 2014/04/09 20:05:01 UTC
git commit: SENTRY-169: JAAS login options not compatible with IBM
JDK (Tuong Truong via Prasad Mujumdar)
Repository: incubator-sentry
Updated Branches:
refs/heads/master b8cd5b169 -> d40e5c4fb
SENTRY-169: JAAS login options not compatible with IBM JDK (Tuong Truong via Prasad Mujumdar)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/d40e5c4f
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/d40e5c4f
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/d40e5c4f
Branch: refs/heads/master
Commit: d40e5c4fb9a50e2d4f58cde82636c993ff468348
Parents: b8cd5b1
Author: Prasad Mujumdar <pr...@cloudera.com>
Authored: Wed Apr 9 11:04:47 2014 -0700
Committer: Prasad Mujumdar <pr...@cloudera.com>
Committed: Wed Apr 9 11:04:47 2014 -0700
----------------------------------------------------------------------
.../service/thrift/KerberosConfiguration.java | 57 +++++++++++++++-----
1 file changed, 43 insertions(+), 14 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/d40e5c4f/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java
index 3022f67..41e4fe4 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java
@@ -27,6 +27,7 @@ public class KerberosConfiguration extends javax.security.auth.login.Configurati
private String principal;
private String keytab;
private boolean isInitiator;
+ private static final boolean IBM_JAVA = System.getProperty("java.vendor").contains("IBM");
private KerberosConfiguration(String principal, File keytab,
boolean client) {
@@ -46,26 +47,54 @@ public class KerberosConfiguration extends javax.security.auth.login.Configurati
}
private static String getKrb5LoginModuleName() {
- return System.getProperty("java.vendor").contains("IBM")
- ? "com.ibm.security.auth.module.Krb5LoginModule"
- : "com.sun.security.auth.module.Krb5LoginModule";
+ return (IBM_JAVA ? "com.ibm.security.auth.module.Krb5LoginModule"
+ : "com.sun.security.auth.module.Krb5LoginModule");
}
@Override
public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
Map<String, String> options = new HashMap<String, String>();
- options.put("keyTab", keytab);
- options.put("principal", principal);
- options.put("useKeyTab", "true");
- options.put("storeKey", "true");
- options.put("doNotPrompt", "true");
- options.put("useTicketCache", "true");
- options.put("renewTGT", "true");
- options.put("refreshKrb5Config", "true");
- options.put("isInitiator", Boolean.toString(isInitiator));
+
+ if (IBM_JAVA) {
+ // IBM JAVA's UseKeytab covers both keyTab and useKeyTab options
+ options.put("useKeytab",keytab.startsWith("file://") ? keytab : "file://" + keytab);
+
+ options.put("principal", principal);
+ options.put("refreshKrb5Config", "true");
+
+ // Both "initiator" and "acceptor"
+ options.put("credsType", "both");
+ } else {
+ options.put("keyTab", keytab);
+ options.put("principal", principal);
+ options.put("useKeyTab", "true");
+ options.put("storeKey", "true");
+ options.put("doNotPrompt", "true");
+ options.put("useTicketCache", "true");
+ options.put("renewTGT", "true");
+ options.put("refreshKrb5Config", "true");
+ options.put("isInitiator", Boolean.toString(isInitiator));
+ }
+
String ticketCache = System.getenv("KRB5CCNAME");
- if (ticketCache != null) {
- options.put("ticketCache", ticketCache);
+ if (IBM_JAVA) {
+ // If cache is specified via env variable, it takes priority
+ if (ticketCache != null) {
+ // IBM JAVA only respects system property so copy ticket cache to system property
+ // The first value searched when "useDefaultCcache" is true.
+ System.setProperty("KRB5CCNAME", ticketCache);
+ } else {
+ ticketCache = System.getProperty("KRB5CCNAME");
+ }
+
+ if (ticketCache != null) {
+ options.put("useDefaultCcache", "true");
+ options.put("renewTGT", "true");
+ }
+ } else {
+ if (ticketCache != null) {
+ options.put("ticketCache", ticketCache);
+ }
}
options.put("debug", "true");