[
https://issues.apache.org/jira/browse/HADOOP-10786?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Stephen Chu updated HADOOP-10786:
---------------------------------
Attachment: HADOOP-10786.2.patch
We can use reflection to make this fix and still allow JDK6 to build and run.
I've attached a patch to do this, as well as added a unit test that will catch
regressions. The unit test uses the MiniKDC and verifies login from keytab and
relogin from keytab in addition to simply checking that isKeytab = true when it
should be.
[~Tobi], thanks a lot for working on this. Let me know what you think about my
suggestion and test. If you are too busy, I can also take this JIRA up.
> Patch that fixes UGI#reloginFromKeytab on java 8
> ------------------------------------------------
>
> Key: HADOOP-10786
> URL: https://issues.apache.org/jira/browse/HADOOP-10786
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Reporter: Tobi Vollebregt
> Assignee: Tobi Vollebregt
> Priority: Minor
> Attachments: HADOOP-10786.2.patch, HADOOP-10786.patch
>
>
> Krb5LoginModule changed subtly in java 8: in particular, if useKeyTab and
> storeKey are specified, then only a KeyTab object is added to the Subject's
> private credentials, whereas in java <= 7 both a KeyTab and some number of
> KerberosKey objects were added.
> The UGI constructor checks whether or not a keytab was used to login by
> looking if there are any KerberosKey objects in the Subject's private
> credentials. If there are, then isKeyTab is set to true, and otherwise it's
> set to false.
> Thus, in java 8 isKeyTab is always false given the current UGI
> implementation, which makes UGI#reloginFromKeytab fail silently.
> Attached patch will check for a KeyTab object on the Subject, instead of a
> KerberosKey object. This fixes relogins from kerberos keytabs on Oracle java
> 8, and works on Oracle java 7 as well.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
