You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@aurora.apache.org by wf...@apache.org on 2016/01/05 01:15:22 UTC
aurora git commit: Fix Kerberos5ShiroRealmModule: use dedicated jaas
config.
Repository: aurora
Updated Branches:
refs/heads/master 8706a7819 -> 9647a42e7
Fix Kerberos5ShiroRealmModule: use dedicated jaas config.
This fix to Kerberos initialization that moves away from setting a
system property to instead use a ConfigFile object directly.
This prevents using the default LoginContext internals and entering
into races with other components (notably zookeeper).
Reviewed at https://reviews.apache.org/r/41895/
Project: http://git-wip-us.apache.org/repos/asf/aurora/repo
Commit: http://git-wip-us.apache.org/repos/asf/aurora/commit/9647a42e
Tree: http://git-wip-us.apache.org/repos/asf/aurora/tree/9647a42e
Diff: http://git-wip-us.apache.org/repos/asf/aurora/diff/9647a42e
Branch: refs/heads/master
Commit: 9647a42e786838de80bd2bbf924c79804ad9a0cd
Parents: 8706a78
Author: John Sirois <jo...@gmail.com>
Authored: Mon Jan 4 16:14:53 2016 -0800
Committer: Bill Farner <wf...@apache.org>
Committed: Mon Jan 4 16:14:53 2016 -0800
----------------------------------------------------------------------
.../api/security/Kerberos5ShiroRealmModule.java | 19 +++++++------------
1 file changed, 7 insertions(+), 12 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/aurora/blob/9647a42e/src/main/java/org/apache/aurora/scheduler/http/api/security/Kerberos5ShiroRealmModule.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/aurora/scheduler/http/api/security/Kerberos5ShiroRealmModule.java b/src/main/java/org/apache/aurora/scheduler/http/api/security/Kerberos5ShiroRealmModule.java
index 09d8db4..0f8bdbb 100644
--- a/src/main/java/org/apache/aurora/scheduler/http/api/security/Kerberos5ShiroRealmModule.java
+++ b/src/main/java/org/apache/aurora/scheduler/http/api/security/Kerberos5ShiroRealmModule.java
@@ -30,6 +30,7 @@ import com.google.common.base.Throwables;
import com.google.common.io.Files;
import com.google.inject.AbstractModule;
import com.google.inject.PrivateModule;
+import com.sun.security.auth.login.ConfigFile;
import com.sun.security.auth.module.Krb5LoginModule;
import org.apache.aurora.common.args.Arg;
@@ -49,8 +50,6 @@ import org.slf4j.LoggerFactory;
public class Kerberos5ShiroRealmModule extends AbstractModule {
private static final Logger LOG = LoggerFactory.getLogger(Kerberos5ShiroRealmModule.class);
- private static final String JAVA_SECURITY_LOGIN_KEY = "java.security.auth.login.config";
-
/**
* Standard Object Identifier for the Kerberos 5 GSS-API mechanism.
*/
@@ -151,13 +150,13 @@ public class Kerberos5ShiroRealmModule extends AbstractModule {
return;
}
- final GSSCredential serverCredential;
-
- Optional<String> oldJavaSecurityLoginValue =
- Optional.fromNullable(System.getProperty(JAVA_SECURITY_LOGIN_KEY));
+ GSSCredential serverCredential;
try {
- System.setProperty(JAVA_SECURITY_LOGIN_KEY, jaasConfFile.getAbsolutePath());
- LoginContext loginContext = new LoginContext(getClass().getName());
+ LoginContext loginContext = new LoginContext(
+ getClass().getName(),
+ null /* subject (read from jaas config file passed below) */,
+ null /* callbackHandler */,
+ new ConfigFile(jaasConfFile.toURI()));
loginContext.login();
serverCredential = Subject.doAs(
loginContext.getSubject(),
@@ -175,10 +174,6 @@ public class Kerberos5ShiroRealmModule extends AbstractModule {
} catch (LoginException e) {
addError(e);
return;
- } finally {
- if (oldJavaSecurityLoginValue.isPresent()) {
- System.setProperty(JAVA_SECURITY_LOGIN_KEY, oldJavaSecurityLoginValue.get());
- }
}
install(new PrivateModule() {