You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by dd...@apache.org on 2012/03/20 18:19:46 UTC
svn commit: r1303018 - in /hadoop/common/branches/branch-1.0: ./
src/core/org/apache/hadoop/security/
src/core/org/apache/hadoop/security/authentication/client/
src/core/org/apache/hadoop/security/authentication/server/
src/core/org/apache/hadoop/secur...
Author: ddas
Date: Tue Mar 20 17:19:45 2012
New Revision: 1303018
URL: http://svn.apache.org/viewvc?rev=1303018&view=rev
Log:
merge -r1303016:1303017 from branch-1 onto branch-1.0. Fixes HADOOP-6941.
Added:
hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/authentication/util/KerberosUtil.java
- copied unchanged from r1303017, hadoop/common/branches/branch-1/src/core/org/apache/hadoop/security/authentication/util/KerberosUtil.java
Modified:
hadoop/common/branches/branch-1.0/ (props changed)
hadoop/common/branches/branch-1.0/CHANGES.txt (contents, props changed)
hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/KerberosName.java
hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/SecurityUtil.java
hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/UserGroupInformation.java
hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
hadoop/common/branches/branch-1.0/src/mapred/ (props changed)
hadoop/common/branches/branch-1.0/src/test/org/apache/hadoop/security/authentication/KerberosTestUtils.java
hadoop/common/branches/branch-1.0/src/test/org/apache/hadoop/security/authentication/server/TestKerberosAuthenticationHandler.java
Propchange: hadoop/common/branches/branch-1.0/
------------------------------------------------------------------------------
Merged /hadoop/common/branches/branch-1:r1303017
Modified: hadoop/common/branches/branch-1.0/CHANGES.txt
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-1.0/CHANGES.txt?rev=1303018&r1=1303017&r2=1303018&view=diff
==============================================================================
--- hadoop/common/branches/branch-1.0/CHANGES.txt (original)
+++ hadoop/common/branches/branch-1.0/CHANGES.txt Tue Mar 20 17:19:45 2012
@@ -5,6 +5,9 @@ Hadoop Change Log
This was done to handle the build of Hadoop with IBM's JDK. (Stephen Watt,
Guillermo Cabrera and ddas)
+ HADOOP-6941. Adds support for building Hadoop with IBM's JDK
+ (Stephen Watt, Eli and ddas)
+
Release 1.0.2 - 2012.03.18
NEW FEATURES
Propchange: hadoop/common/branches/branch-1.0/CHANGES.txt
------------------------------------------------------------------------------
Merged /hadoop/common/branches/branch-1/CHANGES.txt:r1303017
Modified: hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/KerberosName.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/KerberosName.java?rev=1303018&r1=1303017&r2=1303018&view=diff
==============================================================================
--- hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/KerberosName.java (original)
+++ hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/KerberosName.java Tue Mar 20 17:19:45 2012
@@ -25,9 +25,7 @@ import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.apache.hadoop.conf.Configuration;
-
-import sun.security.krb5.Config;
-import sun.security.krb5.KrbException;
+import org.apache.hadoop.security.authentication.util.KerberosUtil;
/**
* This class implements parsing and handling of Kerberos principal names. In
@@ -73,13 +71,11 @@ public class KerberosName {
private static List<Rule> rules;
private static String defaultRealm;
- private static Config kerbConf;
static {
try {
- kerbConf = Config.getInstance();
- defaultRealm = kerbConf.getDefaultRealm();
- } catch (KrbException ke) {
+ defaultRealm = KerberosUtil.getDefaultRealm();
+ } catch (Exception ke) {
if(UserGroupInformation.isSecurityEnabled())
throw new IllegalArgumentException("Can't get Kerberos configuration",ke);
else
Modified: hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/SecurityUtil.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/SecurityUtil.java?rev=1303018&r1=1303017&r2=1303018&view=diff
==============================================================================
--- hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/SecurityUtil.java (original)
+++ hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/SecurityUtil.java Tue Mar 20 17:19:45 2012
@@ -17,6 +17,10 @@
package org.apache.hadoop.security;
import java.io.IOException;
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Field;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.URI;
@@ -42,9 +46,6 @@ import org.apache.hadoop.security.token.
//this will need to be replaced someday when there is a suitable replacement
import sun.net.dns.ResolverConfiguration;
import sun.net.util.IPAddressUtil;
-import sun.security.jgss.krb5.Krb5Util;
-import sun.security.krb5.Credentials;
-import sun.security.krb5.PrincipalName;
public class SecurityUtil {
public static final Log LOG = LogFactory.getLog(SecurityUtil.class);
@@ -128,12 +129,41 @@ public class SecurityUtil {
String serviceName = "host/" + remoteHost.getHost();
if (LOG.isDebugEnabled())
LOG.debug("Fetching service ticket for host at: " + serviceName);
- Credentials serviceCred = null;
+ Object serviceCred = null;
+ Method credsToTicketMeth;
+ Class<?> krb5utilClass;
try {
- PrincipalName principal = new PrincipalName(serviceName,
- PrincipalName.KRB_NT_SRV_HST);
- serviceCred = Credentials.acquireServiceCreds(principal
- .toString(), Krb5Util.ticketToCreds(getTgtFromSubject()));
+ Class<?> principalClass;
+ Class<?> credentialsClass;
+
+ if (System.getProperty("java.vendor").contains("IBM")) {
+ principalClass = Class.forName("com.ibm.security.krb5.PrincipalName");
+
+ credentialsClass = Class.forName("com.ibm.security.krb5.Credentials");
+ krb5utilClass = Class.forName("com.ibm.security.jgss.mech.krb5");
+ } else {
+ principalClass = Class.forName("sun.security.krb5.PrincipalName");
+ credentialsClass = Class.forName("sun.security.krb5.Credentials");
+ krb5utilClass = Class.forName("sun.security.jgss.krb5");
+ }
+ @SuppressWarnings("rawtypes")
+ Constructor principalConstructor = principalClass.getConstructor(String.class,
+ int.class);
+ Field KRB_NT_SRV_HST = principalClass.getDeclaredField("KRB_NT_SRV_HST");
+ Method acquireServiceCredsMeth =
+ credentialsClass.getDeclaredMethod("acquireServiceCreds",
+ String.class, credentialsClass);
+ Method ticketToCredsMeth = krb5utilClass.getDeclaredMethod("ticketToCreds",
+ KerberosTicket.class);
+ credsToTicketMeth = krb5utilClass.getDeclaredMethod("credsToTicket",
+ credentialsClass);
+
+ Object principal = principalConstructor.newInstance(serviceName,
+ KRB_NT_SRV_HST.get(principalClass));
+
+ serviceCred = acquireServiceCredsMeth.invoke(credentialsClass,
+ principal.toString(),
+ ticketToCredsMeth.invoke(krb5utilClass, getTgtFromSubject()));
} catch (Exception e) {
throw new IOException("Can't get service ticket for: "
+ serviceName, e);
@@ -141,8 +171,13 @@ public class SecurityUtil {
if (serviceCred == null) {
throw new IOException("Can't get service ticket for " + serviceName);
}
- Subject.getSubject(AccessController.getContext()).getPrivateCredentials()
- .add(Krb5Util.credsToTicket(serviceCred));
+ try {
+ Subject.getSubject(AccessController.getContext()).getPrivateCredentials()
+ .add(credsToTicketMeth.invoke(krb5utilClass, serviceCred));
+ } catch (Exception e) {
+ throw new IOException("Can't get service ticket for: "
+ + serviceName, e);
+ }
}
/**
Modified: hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/UserGroupInformation.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/UserGroupInformation.java?rev=1303018&r1=1303017&r2=1303018&view=diff
==============================================================================
--- hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/UserGroupInformation.java (original)
+++ hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/UserGroupInformation.java Tue Mar 20 17:19:45 2012
@@ -51,14 +51,11 @@ import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.security.authentication.util.KerberosUtil;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenIdentifier;
import org.apache.hadoop.util.Shell;
-import com.sun.security.auth.NTUserPrincipal;
-import com.sun.security.auth.UnixPrincipal;
-import com.sun.security.auth.module.Krb5LoginModule;
-
/**
* User and group information for Hadoop.
* This class wraps around a JAAS Subject and provides methods to determine the
@@ -253,22 +250,53 @@ public class UserGroupInformation {
private final boolean isKeytab;
private final boolean isKrbTkt;
- private static final String OS_LOGIN_MODULE_NAME;
- private static final Class<? extends Principal> OS_PRINCIPAL_CLASS;
+ private static String OS_LOGIN_MODULE_NAME;
+ private static Class<? extends Principal> OS_PRINCIPAL_CLASS;
private static final boolean windows =
System.getProperty("os.name").startsWith("Windows");
private static Thread renewerThread = null;
private static volatile boolean shouldRunRenewerThread = true;
- static {
- if (windows) {
- OS_LOGIN_MODULE_NAME = "com.sun.security.auth.module.NTLoginModule";
- OS_PRINCIPAL_CLASS = NTUserPrincipal.class;
+ /* Return the OS login module class name */
+ private static String getOSLoginModuleName() {
+ if (System.getProperty("java.vendor").contains("IBM")) {
+ return windows ? "com.ibm.security.auth.module.NTLoginModule"
+ : "com.ibm.security.auth.module.LinuxLoginModule";
} else {
- OS_LOGIN_MODULE_NAME = "com.sun.security.auth.module.UnixLoginModule";
- OS_PRINCIPAL_CLASS = UnixPrincipal.class;
+ return windows ? "com.sun.security.auth.module.NTLoginModule"
+ : "com.sun.security.auth.module.UnixLoginModule";
}
}
+
+ /* Return the OS principal class */
+ @SuppressWarnings("unchecked")
+ private static Class<? extends Principal> getOsPrincipalClass() {
+ ClassLoader cl = ClassLoader.getSystemClassLoader();
+ try {
+ if (System.getProperty("java.vendor").contains("IBM")) {
+ if (windows) {
+ return (Class<? extends Principal>)
+ cl.loadClass("com.ibm.security.auth.UsernamePrincipal");
+ } else {
+ return (Class<? extends Principal>)
+ (System.getProperty("os.arch").contains("64")
+ ? cl.loadClass("com.ibm.security.auth.UsernamePrincipal")
+ : cl.loadClass("com.ibm.security.auth.LinuxPrincipal"));
+ }
+ } else {
+ return (Class<? extends Principal>) (windows
+ ? cl.loadClass("com.sun.security.auth.NTUserPrincipal")
+ : cl.loadClass("com.sun.security.auth.UnixPrincipal"));
+ }
+ } catch (ClassNotFoundException e) {
+ LOG.error("Unable to find JAAS classes:" + e.getMessage());
+ }
+ return null;
+ }
+ static {
+ OS_LOGIN_MODULE_NAME = getOSLoginModuleName();
+ OS_PRINCIPAL_CLASS = getOsPrincipalClass();
+ }
private static class RealUser implements Principal {
private final UserGroupInformation realUser;
@@ -339,7 +367,7 @@ public class UserGroupInformation {
}
}
private static final AppConfigurationEntry USER_KERBEROS_LOGIN =
- new AppConfigurationEntry(Krb5LoginModule.class.getName(),
+ new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(),
LoginModuleControlFlag.OPTIONAL,
USER_KERBEROS_OPTIONS);
private static final Map<String,String> KEYTAB_KERBEROS_OPTIONS =
@@ -350,7 +378,7 @@ public class UserGroupInformation {
KEYTAB_KERBEROS_OPTIONS.put("storeKey", "true");
}
private static final AppConfigurationEntry KEYTAB_KERBEROS_LOGIN =
- new AppConfigurationEntry(Krb5LoginModule.class.getName(),
+ new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(),
LoginModuleControlFlag.REQUIRED,
KEYTAB_KERBEROS_OPTIONS);
Modified: hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java?rev=1303018&r1=1303017&r2=1303018&view=diff
==============================================================================
--- hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java (original)
+++ hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java Tue Mar 20 17:19:45 2012
@@ -13,12 +13,12 @@
*/
package org.apache.hadoop.security.authentication.client;
-import com.sun.security.auth.module.Krb5LoginModule;
import org.apache.commons.codec.binary.Base64;
+import org.apache.hadoop.security.authentication.util.KerberosUtil;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
-import sun.security.jgss.GSSUtil;
+import org.ietf.jgss.Oid;
import javax.security.auth.Subject;
import javax.security.auth.login.AppConfigurationEntry;
@@ -26,6 +26,7 @@ import javax.security.auth.login.Configu
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import java.io.IOException;
+import java.lang.reflect.Field;
import java.net.HttpURLConnection;
import java.net.URL;
import java.security.AccessControlContext;
@@ -97,7 +98,7 @@ public class KerberosAuthenticator imple
}
private static final AppConfigurationEntry USER_KERBEROS_LOGIN =
- new AppConfigurationEntry(Krb5LoginModule.class.getName(),
+ new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(),
AppConfigurationEntry.LoginModuleControlFlag.OPTIONAL,
USER_KERBEROS_OPTIONS);
@@ -109,7 +110,7 @@ public class KerberosAuthenticator imple
return USER_KERBEROS_CONF;
}
}
-
+
private URL url;
private HttpURLConnection conn;
private Base64 base64;
@@ -195,9 +196,12 @@ public class KerberosAuthenticator imple
try {
GSSManager gssManager = GSSManager.getInstance();
String servicePrincipal = "HTTP/" + KerberosAuthenticator.this.url.getHost();
+
GSSName serviceName = gssManager.createName(servicePrincipal,
- GSSUtil.NT_GSS_KRB5_PRINCIPAL);
- gssContext = gssManager.createContext(serviceName, GSSUtil.GSS_KRB5_MECH_OID, null,
+ GSSName.NT_HOSTBASED_SERVICE);
+ Oid oid = KerberosUtil.getOidClassInstance(servicePrincipal,
+ gssManager);
+ gssContext = gssManager.createContext(serviceName, oid, null,
GSSContext.DEFAULT_LIFETIME);
gssContext.requestCredDeleg(true);
gssContext.requestMutualAuth(true);
Modified: hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java?rev=1303018&r1=1303017&r2=1303018&view=diff
==============================================================================
--- hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java (original)
+++ hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java Tue Mar 20 17:19:45 2012
@@ -15,9 +15,9 @@ package org.apache.hadoop.security.authe
import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.hadoop.security.authentication.client.KerberosAuthenticator;
-import com.sun.security.auth.module.Krb5LoginModule;
import org.apache.commons.codec.binary.Base64;
import org.apache.hadoop.security.KerberosName;
+import org.apache.hadoop.security.authentication.util.KerberosUtil;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSManager;
@@ -93,7 +93,7 @@ public class KerberosAuthenticationHandl
}
return new AppConfigurationEntry[]{
- new AppConfigurationEntry(Krb5LoginModule.class.getName(),
+ new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(),
AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
options),};
}
Propchange: hadoop/common/branches/branch-1.0/src/mapred/
------------------------------------------------------------------------------
Merged /hadoop/common/branches/branch-1/src/mapred:r1303017
Modified: hadoop/common/branches/branch-1.0/src/test/org/apache/hadoop/security/authentication/KerberosTestUtils.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-1.0/src/test/org/apache/hadoop/security/authentication/KerberosTestUtils.java?rev=1303018&r1=1303017&r2=1303018&view=diff
==============================================================================
--- hadoop/common/branches/branch-1.0/src/test/org/apache/hadoop/security/authentication/KerberosTestUtils.java (original)
+++ hadoop/common/branches/branch-1.0/src/test/org/apache/hadoop/security/authentication/KerberosTestUtils.java Tue Mar 20 17:19:45 2012
@@ -13,13 +13,15 @@
*/
package org.apache.hadoop.security.authentication;
-import com.sun.security.auth.module.Krb5LoginModule;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
+
+import org.apache.hadoop.security.authentication.util.KerberosUtil;
+
import java.io.File;
import java.security.Principal;
import java.security.PrivilegedActionException;
@@ -88,7 +90,7 @@ public class KerberosTestUtils {
options.put("debug", "true");
return new AppConfigurationEntry[]{
- new AppConfigurationEntry(Krb5LoginModule.class.getName(),
+ new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(),
AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
options),};
}
Modified: hadoop/common/branches/branch-1.0/src/test/org/apache/hadoop/security/authentication/server/TestKerberosAuthenticationHandler.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-1.0/src/test/org/apache/hadoop/security/authentication/server/TestKerberosAuthenticationHandler.java?rev=1303018&r1=1303017&r2=1303018&view=diff
==============================================================================
--- hadoop/common/branches/branch-1.0/src/test/org/apache/hadoop/security/authentication/server/TestKerberosAuthenticationHandler.java (original)
+++ hadoop/common/branches/branch-1.0/src/test/org/apache/hadoop/security/authentication/server/TestKerberosAuthenticationHandler.java Tue Mar 20 17:19:45 2012
@@ -18,15 +18,17 @@ import org.apache.hadoop.security.authen
import org.apache.hadoop.security.authentication.client.KerberosAuthenticator;
import junit.framework.TestCase;
import org.apache.commons.codec.binary.Base64;
+import org.apache.hadoop.security.authentication.util.KerberosUtil;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.junit.Ignore;
import org.mockito.Mockito;
-import sun.security.jgss.GSSUtil;
+import org.ietf.jgss.Oid;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import java.lang.reflect.Field;
import java.util.Properties;
import java.util.concurrent.Callable;
@@ -116,9 +118,12 @@ public class TestKerberosAuthenticationH
GSSContext gssContext = null;
try {
String servicePrincipal = KerberosTestUtils.getServerPrincipal();
- GSSName serviceName = gssManager.createName(servicePrincipal, GSSUtil.NT_GSS_KRB5_PRINCIPAL);
- gssContext = gssManager.createContext(serviceName, GSSUtil.GSS_KRB5_MECH_OID, null,
- GSSContext.DEFAULT_LIFETIME);
+ GSSName serviceName = gssManager.createName(servicePrincipal,
+ GSSName.NT_HOSTBASED_SERVICE);
+ Oid oid = KerberosUtil.getOidClassInstance(servicePrincipal,
+ gssManager);
+ gssContext = gssManager.createContext(serviceName, oid, null,
+ GSSContext.DEFAULT_LIFETIME);
gssContext.requestCredDeleg(true);
gssContext.requestMutualAuth(true);