[
https://issues.apache.org/jira/browse/HADOOP-19212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17936453#comment-17936453
]
ASF GitHub Bot commented on HADOOP-19212:
-----------------------------------------
steveloughran commented on code in PR #7081:
URL: https://github.com/apache/hadoop/pull/7081#discussion_r1942770365
##########
hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/util/subject/SubjectAdapter.java:
##########
@@ -0,0 +1,52 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.util.subject;
+
+import javax.security.auth.Subject;
+
+/**
+ * javax.security.auth.Subject.getSubject is deprecated for removal.
+ * The replacement API exists only in Java 18 and above.
+ * This class helps use the newer API if available, without raising the
language level.
+ */
+public class SubjectAdapter {
+ private static final HiddenGetSubject instance;
+ static {
+ int version = 0;
+ try {
+ version =
Integer.parseInt(System.getProperty("java.specification.version"));
Review Comment:
> IMO testing trying to load the new classes and failing over to the old
classes if they cannot be found would be more robust.
interesting thought.
how about
* we avoid Subject
* pull the string on L33 to a constant
##########
hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/util/subject/SubjectAdapter.java:
##########
@@ -0,0 +1,52 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.util.subject;
+
+import javax.security.auth.Subject;
+
+/**
+ * javax.security.auth.Subject.getSubject is deprecated for removal.
+ * The replacement API exists only in Java 18 and above.
+ * This class helps use the newer API if available, without raising the
language level.
+ */
+public class SubjectAdapter {
+ private static final HiddenGetSubject instance;
+ static {
+ int version = 0;
+ try {
+ version =
Integer.parseInt(System.getProperty("java.specification.version"));
Review Comment:
@stoty interesting thought about attempting and fallbacks
We'd try the java18+ first & fall back to java <= 17 otherwise? or do it in
the opposite direction, at least for now?
> [JDK23] org.apache.hadoop.security.UserGroupInformation use of Subject needs
> to move to replacement APIs
> --------------------------------------------------------------------------------------------------------
>
> Key: HADOOP-19212
> URL: https://issues.apache.org/jira/browse/HADOOP-19212
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: security
> Affects Versions: 3.5.0
> Reporter: Alan Bateman
> Priority: Major
> Labels: pull-request-available
>
> `javax.security.auth.Subject.getSubject` and `Subject.doAs` were deprecated
> for removal in JDK 17. The replacement APIs are `Subject.current` and
> `callAs`. See [JEP 411]([https://openjdk.org/jeps/411]) for background.
> The `Subject.getSubject` API has been "degraded" in JDK 23 to throw
> `UnsupportedOperationException` if not running with the option to allow a
> SecurityManager. In a future JDK release, the `Subject.getSubject` API will
> be degraded further to throw`UnsupportedOperationException` unconditionally.
> [renaissance/issues/439]([https://github.com/renaissance-benchmarks/renaissance/issues/439])
> is a failure with a Spark benchmark due to the code in
> `org.apache.hadoop.security.UserGroupInformation` using the deprecated
> `Subject.getSubject` method. The maintainers of this code need to migrate
> this code to the replacement APIs to ensure that this code will continue to
> work once the security manager feature is removed.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
