[
https://issues.apache.org/jira/browse/HADOOP-19212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18014123#comment-18014123
]
ASF GitHub Bot commented on HADOOP-19212:
-----------------------------------------
stoty commented on PR #7434:
URL: https://github.com/apache/hadoop/pull/7434#issuecomment-3191598426
> Hi @stoty, do you have a plan to continue this work?
Yes, but I don't have the time right now.
I hope to be able to return to this in about a month.
>
> I briefly went through the change, if I understand correctly, this PR
mainly consists of 2 parts:
>
> 1. route UGI doAs to `Subject.callAs` for newer JDKs, and fallback to
original API for older JDKs
> 2. migrate Thread / ThreadPool invocations to HadoopThread /
HadoopThreadPool, to restore the capability of Subject propagation
Yes, that's correct.
I think that HadoopThreadPool is not really needed, as the executors don't
really preserve subjects either, and we probably already have code to set the
subject where needed.
>
> The part 1 change is relatively light, Trino's forked Hadoop project only
changes this part. Can we change this part first to allow the downstream
project that uses the Hadoop client to work with the new JDK?
The Thread changes are required for Java 22+, while the doAs() stuff is only
fully removed in 23+ (it can be turned back on by enabling SecurityManager
before that).
I don't know how much of the MR / HDFS client would work on JDK22+ without
the Thread changes though, there are a lot of changes, I don't remember how
much of them are used on the client side without digging back in the code.
The Subject changes should be enough to support JDK21 without
securityManager.
The two changes are orthogonal, so the order doesn't really matter.
> [JDK23] org.apache.hadoop.security.UserGroupInformation use of Subject needs
> to move to replacement APIs
> --------------------------------------------------------------------------------------------------------
>
> Key: HADOOP-19212
> URL: https://issues.apache.org/jira/browse/HADOOP-19212
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: security
> Affects Versions: 3.5.0
> Reporter: Alan Bateman
> Priority: Major
> Labels: pull-request-available
>
> `javax.security.auth.Subject.getSubject` and `Subject.doAs` were deprecated
> for removal in JDK 17. The replacement APIs are `Subject.current` and
> `callAs`. See [JEP 411]([https://openjdk.org/jeps/411]) for background.
> The `Subject.getSubject` API has been "degraded" in JDK 23 to throw
> `UnsupportedOperationException` if not running with the option to allow a
> SecurityManager. In a future JDK release, the `Subject.getSubject` API will
> be degraded further to throw`UnsupportedOperationException` unconditionally.
> [renaissance/issues/439]([https://github.com/renaissance-benchmarks/renaissance/issues/439])
> is a failure with a Spark benchmark due to the code in
> `org.apache.hadoop.security.UserGroupInformation` using the deprecated
> `Subject.getSubject` method. The maintainers of this code need to migrate
> this code to the replacement APIs to ensure that this code will continue to
> work once the security manager feature is removed.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
