[jira] [Commented] (HADOOP-19212) [JDK23] org.apache.hadoop.security.UserGroupInformation use of Subject needs to move to replacement APIs

Fri, 15 Aug 2025 04:44:04 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-19212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18014094#comment-18014094
 ] 

ASF GitHub Bot commented on HADOOP-19212:
-----------------------------------------

pan3793 commented on PR #7434:
URL: https://github.com/apache/hadoop/pull/7434#issuecomment-3191323897

   Hi @stoty, do you have a plan to continue this work?
   
   I briefly went through the change, if I understand correctly, this PR mainly 
consists of 2 parts:
   1. route UGI doAs to `Subject.callAs` for newer JDKs, and fallback to 
original API for older JDKs
   2. migrate Thread / ThreadPool invocations to HadoopThread / 
HadoopThreadPool, to restore the capability of Subject propagation
   
   The part 1 change is relatively light, Trino's forked Hadoop project only 
changes this part. Can we change this part first to allow the downstream 
project that uses the Hadoop client to work with the new JDK?
   
   




> [JDK23] org.apache.hadoop.security.UserGroupInformation use of Subject needs 
> to move to replacement APIs
> --------------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-19212
>                 URL: https://issues.apache.org/jira/browse/HADOOP-19212
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: security
>    Affects Versions: 3.5.0
>            Reporter: Alan Bateman
>            Priority: Major
>              Labels: pull-request-available
>
> `javax.security.auth.Subject.getSubject` and `Subject.doAs` were deprecated 
> for removal in JDK 17. The replacement APIs are `Subject.current` and 
> `callAs`. See [JEP 411]([https://openjdk.org/jeps/411]) for background.
> The `Subject.getSubject` API has been "degraded" in JDK 23 to throw 
> `UnsupportedOperationException` if not running with the option to allow a 
> SecurityManager. In a future JDK release, the `Subject.getSubject` API will 
> be degraded further to throw`UnsupportedOperationException` unconditionally.
> [renaissance/issues/439]([https://github.com/renaissance-benchmarks/renaissance/issues/439])
>  is a failure with a Spark benchmark due to the code in 
> `org.apache.hadoop.security.UserGroupInformation` using the deprecated 
> `Subject.getSubject` method. The maintainers of this code need to migrate 
> this code to the replacement APIs to ensure that this code will continue to 
> work once the security manager feature is removed.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to