[
https://issues.apache.org/jira/browse/HADOOP-10786?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Stephen Chu updated HADOOP-10786:
---------------------------------
Attachment: HADOOP-10786.3.patch
Performing the reflection in a static init block sounds like a good idea.
I can see how it'd be useful to extract the logic of login into a separate
function and just call it directly. I'd like to make sure to exercise as much
of the reloginFromKeytab logic as possible (aside from waiting for a renew
window), though.
The test verifies isKeytab == true, which is good. However, if for some reason
the way isKeytab changes in reloginFromKeytab (or something else changes before
actual login), it'd be good to exercise this.
Attaching a patch that moves the reflection to a static block.
Also, I made some additional fixes:
* Fix the conditional logic when using shouldRenewImmediatelyForTests by moving
the check for null TGT ahead.
* Remove //return
> Patch that fixes UGI#reloginFromKeytab on java 8
> ------------------------------------------------
>
> Key: HADOOP-10786
> URL: https://issues.apache.org/jira/browse/HADOOP-10786
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.6.0
> Reporter: Tobi Vollebregt
> Assignee: Stephen Chu
> Attachments: HADOOP-10786.2.patch, HADOOP-10786.3.patch,
> HADOOP-10786.patch
>
>
> Krb5LoginModule changed subtly in java 8: in particular, if useKeyTab and
> storeKey are specified, then only a KeyTab object is added to the Subject's
> private credentials, whereas in java <= 7 both a KeyTab and some number of
> KerberosKey objects were added.
> The UGI constructor checks whether or not a keytab was used to login by
> looking if there are any KerberosKey objects in the Subject's private
> credentials. If there are, then isKeyTab is set to true, and otherwise it's
> set to false.
> Thus, in java 8 isKeyTab is always false given the current UGI
> implementation, which makes UGI#reloginFromKeytab fail silently.
> Attached patch will check for a KeyTab object on the Subject, instead of a
> KerberosKey object. This fixes relogins from kerberos keytabs on Oracle java
> 8, and works on Oracle java 7 as well.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
