You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by pr...@apache.org on 2014/04/09 20:05:01 UTC
git commit: SENTRY-169: JAAS login options not compatible with IBM JDK (Tuong Truong via Prasad Mujumdar)

Repository: incubator-sentry
Updated Branches:
  refs/heads/master b8cd5b169 -> d40e5c4fb


SENTRY-169: JAAS login options not compatible with IBM JDK (Tuong Truong via Prasad Mujumdar)


Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/d40e5c4f
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/d40e5c4f
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/d40e5c4f

Branch: refs/heads/master
Commit: d40e5c4fb9a50e2d4f58cde82636c993ff468348
Parents: b8cd5b1
Author: Prasad Mujumdar <pr...@cloudera.com>
Authored: Wed Apr 9 11:04:47 2014 -0700
Committer: Prasad Mujumdar <pr...@cloudera.com>
Committed: Wed Apr 9 11:04:47 2014 -0700

----------------------------------------------------------------------
 .../service/thrift/KerberosConfiguration.java   | 57 +++++++++++++++-----
 1 file changed, 43 insertions(+), 14 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/d40e5c4f/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java
index 3022f67..41e4fe4 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java
@@ -27,6 +27,7 @@ public class KerberosConfiguration extends javax.security.auth.login.Configurati
   private String principal;
   private String keytab;
   private boolean isInitiator;
+  private static final boolean IBM_JAVA =  System.getProperty("java.vendor").contains("IBM");
 
   private KerberosConfiguration(String principal, File keytab,
       boolean client) {
@@ -46,26 +47,54 @@ public class KerberosConfiguration extends javax.security.auth.login.Configurati
   }
 
   private static String getKrb5LoginModuleName() {
-    return System.getProperty("java.vendor").contains("IBM")
-        ? "com.ibm.security.auth.module.Krb5LoginModule"
-            : "com.sun.security.auth.module.Krb5LoginModule";
+    return (IBM_JAVA ? "com.ibm.security.auth.module.Krb5LoginModule"
+            : "com.sun.security.auth.module.Krb5LoginModule");
   }
 
   @Override
   public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
     Map<String, String> options = new HashMap<String, String>();
-    options.put("keyTab", keytab);
-    options.put("principal", principal);
-    options.put("useKeyTab", "true");
-    options.put("storeKey", "true");
-    options.put("doNotPrompt", "true");
-    options.put("useTicketCache", "true");
-    options.put("renewTGT", "true");
-    options.put("refreshKrb5Config", "true");
-    options.put("isInitiator", Boolean.toString(isInitiator));
+
+    if (IBM_JAVA) {
+      // IBM JAVA's UseKeytab covers both keyTab and useKeyTab options
+      options.put("useKeytab",keytab.startsWith("file://") ? keytab : "file://" + keytab);
+
+      options.put("principal", principal);
+      options.put("refreshKrb5Config", "true");
+
+      // Both "initiator" and "acceptor"
+      options.put("credsType", "both");
+    } else {
+      options.put("keyTab", keytab);
+      options.put("principal", principal);
+      options.put("useKeyTab", "true");
+      options.put("storeKey", "true");
+      options.put("doNotPrompt", "true");
+      options.put("useTicketCache", "true");
+      options.put("renewTGT", "true");
+      options.put("refreshKrb5Config", "true");
+      options.put("isInitiator", Boolean.toString(isInitiator));
+    }
+
     String ticketCache = System.getenv("KRB5CCNAME");
-    if (ticketCache != null) {
-      options.put("ticketCache", ticketCache);
+    if (IBM_JAVA) {
+      // If cache is specified via env variable, it takes priority
+      if (ticketCache != null) {
+        // IBM JAVA only respects system property so copy ticket cache to system property
+        // The first value searched when "useDefaultCcache" is true.
+        System.setProperty("KRB5CCNAME", ticketCache);
+      } else {
+    	ticketCache = System.getProperty("KRB5CCNAME");
+      }
+
+      if (ticketCache != null) {
+        options.put("useDefaultCcache", "true");
+        options.put("renewTGT", "true");
+      }
+    } else {
+      if (ticketCache != null) {
+        options.put("ticketCache", ticketCache);
+      }
     }
     options.put("debug", "true");