Repository: incubator-sentry Updated Branches: refs/heads/master b8cd5b169 -> d40e5c4fb
SENTRY-169: JAAS login options not compatible with IBM JDK (Tuong Truong via Prasad Mujumdar) Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/d40e5c4f Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/d40e5c4f Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/d40e5c4f Branch: refs/heads/master Commit: d40e5c4fb9a50e2d4f58cde82636c993ff468348 Parents: b8cd5b1 Author: Prasad Mujumdar <[email protected]> Authored: Wed Apr 9 11:04:47 2014 -0700 Committer: Prasad Mujumdar <[email protected]> Committed: Wed Apr 9 11:04:47 2014 -0700 ---------------------------------------------------------------------- .../service/thrift/KerberosConfiguration.java | 57 +++++++++++++++----- 1 file changed, 43 insertions(+), 14 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/d40e5c4f/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java index 3022f67..41e4fe4 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java @@ -27,6 +27,7 @@ public class KerberosConfiguration extends javax.security.auth.login.Configurati private String principal; private String keytab; private boolean isInitiator; + private static final boolean IBM_JAVA = System.getProperty("java.vendor").contains("IBM"); private KerberosConfiguration(String principal, File keytab, boolean client) { @@ -46,26 +47,54 @@ public class KerberosConfiguration extends javax.security.auth.login.Configurati } private static String getKrb5LoginModuleName() { - return System.getProperty("java.vendor").contains("IBM") - ? "com.ibm.security.auth.module.Krb5LoginModule" - : "com.sun.security.auth.module.Krb5LoginModule"; + return (IBM_JAVA ? "com.ibm.security.auth.module.Krb5LoginModule" + : "com.sun.security.auth.module.Krb5LoginModule"); } @Override public AppConfigurationEntry[] getAppConfigurationEntry(String name) { Map<String, String> options = new HashMap<String, String>(); - options.put("keyTab", keytab); - options.put("principal", principal); - options.put("useKeyTab", "true"); - options.put("storeKey", "true"); - options.put("doNotPrompt", "true"); - options.put("useTicketCache", "true"); - options.put("renewTGT", "true"); - options.put("refreshKrb5Config", "true"); - options.put("isInitiator", Boolean.toString(isInitiator)); + + if (IBM_JAVA) { + // IBM JAVA's UseKeytab covers both keyTab and useKeyTab options + options.put("useKeytab",keytab.startsWith("file://") ? keytab : "file://" + keytab); + + options.put("principal", principal); + options.put("refreshKrb5Config", "true"); + + // Both "initiator" and "acceptor" + options.put("credsType", "both"); + } else { + options.put("keyTab", keytab); + options.put("principal", principal); + options.put("useKeyTab", "true"); + options.put("storeKey", "true"); + options.put("doNotPrompt", "true"); + options.put("useTicketCache", "true"); + options.put("renewTGT", "true"); + options.put("refreshKrb5Config", "true"); + options.put("isInitiator", Boolean.toString(isInitiator)); + } + String ticketCache = System.getenv("KRB5CCNAME"); - if (ticketCache != null) { - options.put("ticketCache", ticketCache); + if (IBM_JAVA) { + // If cache is specified via env variable, it takes priority + if (ticketCache != null) { + // IBM JAVA only respects system property so copy ticket cache to system property + // The first value searched when "useDefaultCcache" is true. + System.setProperty("KRB5CCNAME", ticketCache); + } else { + ticketCache = System.getProperty("KRB5CCNAME"); + } + + if (ticketCache != null) { + options.put("useDefaultCcache", "true"); + options.put("renewTGT", "true"); + } + } else { + if (ticketCache != null) { + options.put("ticketCache", ticketCache); + } } options.put("debug", "true");
