stoty commented on code in PR #7892: URL: https://github.com/apache/hadoop/pull/7892#discussion_r2310495424
########## hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/concurrent/SubjectInheritingThread.java: ########## @@ -0,0 +1,148 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.util.concurrent; + +import java.security.PrivilegedAction; +import javax.security.auth.Subject; + +import org.apache.hadoop.security.authentication.util.SubjectUtil; + +/** + * Helper class to restore Subject propagation behavior of threads after the + * JEP411/JEP486 changes. + * <p> + * Java propagates the current Subject to any new Threads in all version up to + * Java 21. In Java 22-23 the Subject is only propagated if the SecurityManager + * is enabled, while in Java 24+ it is never propagated. + * <p> + * Hadoop security heavily relies on the original behavior, as Subject is at the + * core of JAAS. This class wraps thread. It overrides start() and saves the + * Subject of the current thread, and wraps the payload in a + * Subject.doAs()/callAs() call to restorere it in the newly created Thread. + * <p> + * When specifying a Runnable, this class is used in exactly the same way as + * Thread. + * <p> + * {@link #run()} cannot be directly overridden, as that would also override the + * subject restoration logic. SubjectInheritingThread provides a {@link work()} + * method instead, which is wrapped and invoked by its own final {@link run()} + * method. + */ +public class SubjectInheritingThread extends Thread { + + private Subject startSubject; + // {@link Thread#target} is private, so we need our own + private Runnable hadoopTarget; + + /** + * Behaves similar to {@link Thread#Thread()} constructor, but the code to run + * must be specified by overriding the {@link #work()} instead of the {link + * #run()} method. + */ + public SubjectInheritingThread() { + super(); + } + + /** + * Behaves similar to {@link Thread#Thread(Runnable)} constructor. + */ + public SubjectInheritingThread(Runnable target) { + super(); + this.hadoopTarget = target; + } + + /** + * Behaves similar to {@link Thread#Thread(ThreadGroup, Runnable)} constructor. Review Comment: Thanks. Fixed both on #7919 Let's continue reviewing there. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
