[
https://issues.apache.org/jira/browse/HADOOP-10786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14201263#comment-14201263
]
Haohui Mai commented on HADOOP-10786:
-------------------------------------
{code}
+ try {
+ // In JDK6 and JDK7, if useKeyTab and storeKey are specified in the
+ // Krb5LoginModule, then some number of KerberosKey objects are added
+ // to the Subject's private credentials. However, in JDK8, a KeyTab
+ // object is added instead. More details in HADOOP-10786.
+ keytabClass = Class.forName("javax.security.auth.kerberos.KeyTab");
+ } catch (ClassNotFoundException cnfe) {
+ // Ignore. javax.security.auth.kerberos.KeyTab does not exist in JDK6.
+ }
+ if (keytabClass != null) {
+ this.isKeytab = !subject.getPrivateCredentials(keytabClass).isEmpty();
+ } else {
+ this.isKeytab =
!subject.getPrivateCredentials(KerberosKey.class).isEmpty();
+ }
this.isKrbTkt =
!subject.getPrivateCredentials(KerberosTicket.class).isEmpty();
{code}
{{forName}} is fairly slow. Since the patch is targeting 2.7 which only
supports JDK7, the code should be able to use the class in compile time, though
we'll need to wait until jenkins to be switched to Java 7 before this patch can
land.
{code}
+ @VisibleForTesting
+ static void setShouldRenewImmediatelyForTests(boolean immediate) {
+ shouldRenewImmediatelyForTests = immediate;
+ }
{code}
Instead of adding this method, it might make more sense to extract the logic of
login into a separate function and call the function directly in the tests.
> Patch that fixes UGI#reloginFromKeytab on java 8
> ------------------------------------------------
>
> Key: HADOOP-10786
> URL: https://issues.apache.org/jira/browse/HADOOP-10786
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Reporter: Tobi Vollebregt
> Assignee: Tobi Vollebregt
> Attachments: HADOOP-10786.2.patch, HADOOP-10786.patch
>
>
> Krb5LoginModule changed subtly in java 8: in particular, if useKeyTab and
> storeKey are specified, then only a KeyTab object is added to the Subject's
> private credentials, whereas in java <= 7 both a KeyTab and some number of
> KerberosKey objects were added.
> The UGI constructor checks whether or not a keytab was used to login by
> looking if there are any KerberosKey objects in the Subject's private
> credentials. If there are, then isKeyTab is set to true, and otherwise it's
> set to false.
> Thus, in java 8 isKeyTab is always false given the current UGI
> implementation, which makes UGI#reloginFromKeytab fail silently.
> Attached patch will check for a KeyTab object on the Subject, instead of a
> KerberosKey object. This fixes relogins from kerberos keytabs on Oracle java
> 8, and works on Oracle java 7 as well.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
