Repository: hadoop
Updated Branches:
refs/heads/branch-2.7 a8b781773 -> 81ac06039
HADOOP-13558. UserGroupInformation created from a Subject incorrectly tries to
renew the Kerberos ticket. Contributed by Xiao Chen.
(cherry picked from commit 680be58aac03a9ffab6b07c8fde9602ddb9dc858)
(cherry picked from commit d157733082697e67be56f516606a0127f5830c58)
Conflicts:
hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java
(cherry picked from commit a7f1dc8aa8c602faf9745588cba1e337f0e59afd)
Conflicts:
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/81ac0603
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/81ac0603
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/81ac0603
Branch: refs/heads/branch-2.7
Commit: 81ac06039e78a941fed1ef70cce05dc70ec06f24
Parents: a8b7817
Author: Xiao Chen <x...@apache.org>
Authored: Tue Sep 6 20:25:26 2016 -0700
Committer: Xiao Chen <x...@apache.org>
Committed: Mon Sep 19 12:56:02 2016 -0700
----------------------------------------------------------------------
.../hadoop/security/UserGroupInformation.java | 22 +++++++++++++++---
.../security/TestUserGroupInformation.java | 24 ++++++++++++++++++++
2 files changed, 43 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hadoop/blob/81ac0603/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
----------------------------------------------------------------------
diff --git
a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
index 0597795..92e9671 100644
---
a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
+++
b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
@@ -605,9 +605,24 @@ public class UserGroupInformation {
* @param subject the user's subject
*/
UserGroupInformation(Subject subject) {
+ this(subject, false);
+ }
+
+ /**
+ * Create a UGI from the given subject.
+ * @param subject the subject
+ * @param externalKeyTab if the subject's keytab is managed by the user.
+ * Setting this to true will prevent UGI from
attempting
+ * to login the keytab, or to renew it.
+ */
+ private UserGroupInformation(Subject subject, final boolean externalKeyTab) {
this.subject = subject;
this.user = subject.getPrincipals(User.class).iterator().next();
- this.isKeytab = !subject.getPrivateCredentials(KeyTab.class).isEmpty();
+ if (externalKeyTab) {
+ this.isKeytab = false;
+ } else {
+ this.isKeytab = !subject.getPrivateCredentials(KeyTab.class).isEmpty();
+ }
this.isKrbTkt =
!subject.getPrivateCredentials(KerberosTicket.class).isEmpty();
}
@@ -797,10 +812,11 @@ public class UserGroupInformation {
newLoginContext(authenticationMethod.getLoginAppName(),
subject, new HadoopConfiguration());
login.login();
- UserGroupInformation realUser = new UserGroupInformation(subject);
+ LOG.debug("Assuming keytab is managed externally since logged in from"
+ + " subject.");
+ UserGroupInformation realUser = new UserGroupInformation(subject, true);
realUser.setLogin(login);
realUser.setAuthenticationMethod(authenticationMethod);
- realUser = new UserGroupInformation(login.getSubject());
// If the HADOOP_PROXY_USER environment variable or property
// is specified, create a proxy user as the logged in user.
String proxyUser = System.getenv(HADOOP_PROXY_USER);
http://git-wip-us.apache.org/repos/asf/hadoop/blob/81ac0603/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java
----------------------------------------------------------------------
diff --git
a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java
b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java
index 888efee..d09a730 100644
---
a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java
+++
b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java
@@ -31,6 +31,7 @@ import org.junit.*;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
+import javax.security.auth.kerberos.KeyTab;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.LoginContext;
@@ -892,4 +893,27 @@ public class TestUserGroupInformation {
}
}
}
+
+ @Test
+ public void testCheckTGTAfterLoginFromSubject() throws Exception {
+ // security on, default is remove default realm
+ SecurityUtil.setAuthenticationMethod(AuthenticationMethod.KERBEROS, conf);
+ UserGroupInformation.setConfiguration(conf);
+
+ // Login from a pre-set subject with a keytab
+ final Subject subject = new Subject();
+ KeyTab keytab = KeyTab.getInstance();
+ subject.getPrivateCredentials().add(keytab);
+ UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
+ ugi.doAs(new PrivilegedExceptionAction<Void>() {
+ @Override
+ public Void run() throws IOException {
+ UserGroupInformation.loginUserFromSubject(subject);
+ // this should not throw.
+ UserGroupInformation.getLoginUser().checkTGTAndReloginFromKeytab();
+ return null;
+ }
+ });
+
+ }
}
---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-commits-h...@hadoop.apache.org
