Repository: aurora Updated Branches: refs/heads/master 8706a7819 -> 9647a42e7
Fix Kerberos5ShiroRealmModule: use dedicated jaas config. This fix to Kerberos initialization that moves away from setting a system property to instead use a ConfigFile object directly. This prevents using the default LoginContext internals and entering into races with other components (notably zookeeper). Reviewed at https://reviews.apache.org/r/41895/ Project: http://git-wip-us.apache.org/repos/asf/aurora/repo Commit: http://git-wip-us.apache.org/repos/asf/aurora/commit/9647a42e Tree: http://git-wip-us.apache.org/repos/asf/aurora/tree/9647a42e Diff: http://git-wip-us.apache.org/repos/asf/aurora/diff/9647a42e Branch: refs/heads/master Commit: 9647a42e786838de80bd2bbf924c79804ad9a0cd Parents: 8706a78 Author: John Sirois <[email protected]> Authored: Mon Jan 4 16:14:53 2016 -0800 Committer: Bill Farner <[email protected]> Committed: Mon Jan 4 16:14:53 2016 -0800 ---------------------------------------------------------------------- .../api/security/Kerberos5ShiroRealmModule.java | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/aurora/blob/9647a42e/src/main/java/org/apache/aurora/scheduler/http/api/security/Kerberos5ShiroRealmModule.java ---------------------------------------------------------------------- diff --git a/src/main/java/org/apache/aurora/scheduler/http/api/security/Kerberos5ShiroRealmModule.java b/src/main/java/org/apache/aurora/scheduler/http/api/security/Kerberos5ShiroRealmModule.java index 09d8db4..0f8bdbb 100644 --- a/src/main/java/org/apache/aurora/scheduler/http/api/security/Kerberos5ShiroRealmModule.java +++ b/src/main/java/org/apache/aurora/scheduler/http/api/security/Kerberos5ShiroRealmModule.java @@ -30,6 +30,7 @@ import com.google.common.base.Throwables; import com.google.common.io.Files; import com.google.inject.AbstractModule; import com.google.inject.PrivateModule; +import com.sun.security.auth.login.ConfigFile; import com.sun.security.auth.module.Krb5LoginModule; import org.apache.aurora.common.args.Arg; @@ -49,8 +50,6 @@ import org.slf4j.LoggerFactory; public class Kerberos5ShiroRealmModule extends AbstractModule { private static final Logger LOG = LoggerFactory.getLogger(Kerberos5ShiroRealmModule.class); - private static final String JAVA_SECURITY_LOGIN_KEY = "java.security.auth.login.config"; - /** * Standard Object Identifier for the Kerberos 5 GSS-API mechanism. */ @@ -151,13 +150,13 @@ public class Kerberos5ShiroRealmModule extends AbstractModule { return; } - final GSSCredential serverCredential; - - Optional<String> oldJavaSecurityLoginValue = - Optional.fromNullable(System.getProperty(JAVA_SECURITY_LOGIN_KEY)); + GSSCredential serverCredential; try { - System.setProperty(JAVA_SECURITY_LOGIN_KEY, jaasConfFile.getAbsolutePath()); - LoginContext loginContext = new LoginContext(getClass().getName()); + LoginContext loginContext = new LoginContext( + getClass().getName(), + null /* subject (read from jaas config file passed below) */, + null /* callbackHandler */, + new ConfigFile(jaasConfFile.toURI())); loginContext.login(); serverCredential = Subject.doAs( loginContext.getSubject(), @@ -175,10 +174,6 @@ public class Kerberos5ShiroRealmModule extends AbstractModule { } catch (LoginException e) { addError(e); return; - } finally { - if (oldJavaSecurityLoginValue.isPresent()) { - System.setProperty(JAVA_SECURITY_LOGIN_KEY, oldJavaSecurityLoginValue.get()); - } } install(new PrivateModule() {
