[
https://issues.apache.org/jira/browse/HADOOP-10786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16756797#comment-16756797
]
Chinmay Kulkarni commented on HADOOP-10786:
-------------------------------------------
[~Tobi] [~schu] is this also an issue for OpenJDK 1.8?
> Fix UGI#reloginFromKeytab on Java 8
> -----------------------------------
>
> Key: HADOOP-10786
> URL: https://issues.apache.org/jira/browse/HADOOP-10786
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.6.0
> Reporter: Tobi Vollebregt
> Assignee: Stephen Chu
> Priority: Major
> Labels: 2.6.1-candidate
> Fix For: 2.6.1, 2.7.0, 3.0.0-alpha1
>
> Attachments: HADOOP-10786.2.patch, HADOOP-10786.3.patch,
> HADOOP-10786.3.patch, HADOOP-10786.4.patch, HADOOP-10786.5.patch,
> HADOOP-10786.patch
>
>
> Krb5LoginModule changed subtly in java 8: in particular, if useKeyTab and
> storeKey are specified, then only a KeyTab object is added to the Subject's
> private credentials, whereas in java <= 7 both a KeyTab and some number of
> KerberosKey objects were added.
> The UGI constructor checks whether or not a keytab was used to login by
> looking if there are any KerberosKey objects in the Subject's private
> credentials. If there are, then isKeyTab is set to true, and otherwise it's
> set to false.
> Thus, in java 8 isKeyTab is always false given the current UGI
> implementation, which makes UGI#reloginFromKeytab fail silently.
> Attached patch will check for a KeyTab object on the Subject, instead of a
> KerberosKey object. This fixes relogins from kerberos keytabs on Oracle java
> 8, and works on Oracle java 7 as well.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
