[jira] [Commented] (HADOOP-10786) Patch that fixes UGI#reloginFromKeytab on java 8

Fri, 07 Nov 2014 12:56:39 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-10786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14202655#comment-14202655
 ] 

Haohui Mai commented on HADOOP-10786:
-------------------------------------

Looks pretty good to me. Some nits:

{code}
+  private static Class<?> KEY_TAB_CLASS = KerberosKey.class;
{code}

can be 

{code}
+  private static final Class<?> KEY_TAB_CLASS = KerberosKey.class;
{code}

{code}
+  public void createTestDir() {
+    workDir = new File(System.getProperty("test.dir", "target"));
+  }
{code}

You can use {{TemporaryFolder}} here so that the files can be properly cleaned 
up after the tests.


{code}
+  public File getWorkDir() {
+    return workDir;
+  }
+  public MiniKdc getKdc() {
+    return kdc;
+  }
+
{code}

Looks like the test can simply inline these getters to make the patch even 
smaller.

> Patch that fixes UGI#reloginFromKeytab on java 8
> ------------------------------------------------
>
>                 Key: HADOOP-10786
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10786
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.6.0
>            Reporter: Tobi Vollebregt
>            Assignee: Stephen Chu
>         Attachments: HADOOP-10786.2.patch, HADOOP-10786.3.patch, 
> HADOOP-10786.3.patch, HADOOP-10786.4.patch, HADOOP-10786.patch
>
>
> Krb5LoginModule changed subtly in java 8: in particular, if useKeyTab and 
> storeKey are specified, then only a KeyTab object is added to the Subject's 
> private credentials, whereas in java <= 7 both a KeyTab and some number of 
> KerberosKey objects were added.
> The UGI constructor checks whether or not a keytab was used to login by 
> looking if there are any KerberosKey objects in the Subject's private 
> credentials. If there are, then isKeyTab is set to true, and otherwise it's 
> set to false.
> Thus, in java 8 isKeyTab is always false given the current UGI 
> implementation, which makes UGI#reloginFromKeytab fail silently.
> Attached patch will check for a KeyTab object on the Subject, instead of a 
> KerberosKey object. This fixes relogins from kerberos keytabs on Oracle java 
> 8, and works on Oracle java 7 as well.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to