[GitHub] [incubator-uniffle] slfan1989 commented on issue #625: [Improvement] Replace Sun Kerberos binding with Apache Kerby

Sun, 12 Mar 2023 23:22:42 -0700 


slfan1989 commented on issue #625:
URL: 
https://github.com/apache/incubator-uniffle/issues/625#issuecomment-1465578601

   WIP
   
   I read this part of the code carefully, and I summarized the relevant 
information as follows:
   
   We have 2 ways to solve the issue.
   - Remove `sun.security.krb5.Config.refresh();` code.
   - Add `--add-exports java.security.jgss/sun.security.krb5=ALL-UNNAMED` in 
the pom.xml of the project.
   
   > Remove `sun.security.krb5.Config.refresh();` code.
   
   From my personal point of view, this part of the code can be removed, 
because this part of the code should only work when the location of the 
krb5.conf configuration file changes in the same JVM.
   
   We use `UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, 
keytabFile)` to verify the identity of the user and ensure that legitimate 
users can access HDFS. 
   
   We can find that `refreshKrb5Config=true` is added when initializing access 
to Kerberos configuration in the Hadoop code.
   
   UserGroupInformation#loginUserFromKeytabAndReturnUGI
   ```
   public
     static UserGroupInformation loginUserFromKeytabAndReturnUGI(String user,
                                     String path
                                     ) throws IOException {
       if (!isSecurityEnabled())
         return UserGroupInformation.getCurrentUser();
   
       LoginParams params = new LoginParams();
       params.put(LoginParam.PRINCIPAL, user);
       params.put(LoginParam.KEYTAB, path);
       return doSubjectLogin(null, params);
     }
   ```
   
   UserGroupInformation#doSubjectLogin
   ```
   private static UserGroupInformation doSubjectLogin(
         Subject subject, LoginParams params) throws IOException {
       ensureInitialized();
       // initial default login.
       if (subject == null && params == null) {
         params = LoginParams.getDefaults();
       }
       HadoopConfiguration loginConf = new HadoopConfiguration(params);
       try {
         // *****
         // We need to focus on this code
         // *****
         HadoopLoginContext login = newLoginContext(
           authenticationMethod.getLoginAppName(), subject, loginConf);
         login.login();
         UserGroupInformation ugi = new 
UserGroupInformation(login.getSubject());
         // attach login context for relogin unless this was a pre-existing
         // subject.
         if (subject == null) {
           params.put(LoginParam.PRINCIPAL, ugi.getUserName());
           ugi.setLogin(login);
           ugi.setLastLogin(Time.now());
         }
         return ugi;
       } catch (LoginException le) {
         KerberosAuthException kae =
           new KerberosAuthException(FAILURE_TO_LOGIN, le);
         if (params != null) {
           kae.setPrincipal(params.get(LoginParam.PRINCIPAL));
           kae.setKeytabFile(params.get(LoginParam.KEYTAB));
           kae.setTicketCacheFile(params.get(LoginParam.CCACHE));
         }
         throw kae;
       }
     }
   ```
   
   HadoopConfiguration#new HadoopLoginContext()
   ```
   private static HadoopLoginContext
     newLoginContext(String appName, Subject subject,
                     HadoopConfiguration loginConf)
         throws LoginException {
       // Temporarily switch the thread's ContextClassLoader to match this
       // class's classloader, so that we can properly load HadoopLoginModule
       // from the JAAS libraries.
       Thread t = Thread.currentThread();
       ClassLoader oldCCL = t.getContextClassLoader();
       t.setContextClassLoader(HadoopLoginModule.class.getClassLoader());
       try {
         return new HadoopLoginContext(appName, subject, loginConf);
       } finally {
         t.setContextClassLoader(oldCCL);
       }
     }
   ```
   
   HadoopLoginContext#constructor
   ```
   HadoopLoginContext(String appName, Subject subject,
                          HadoopConfiguration conf) throws LoginException {
         super(appName, subject, null, conf);
         this.appName = appName;
         this.conf = conf;
       }
   ```
   
   LoginContext#constructor
   Configuration config is HadoopConfiguration
   ```
   public LoginContext(String name, Subject subject,
                           CallbackHandler callbackHandler,
                           Configuration config) throws LoginException {
           this.config = config;
           if (config != null) {
               creatorAcc = java.security.AccessController.getContext();
           }
           // 
           init(name);
           if (subject != null) {
               this.subject = subject;
               subjectProvided = true;
           }
           if (callbackHandler == null) {
               loadDefaultCallbackHandler();
           } else if (creatorAcc == null) {
               this.callbackHandler = new SecureCallbackHandler
                                   (java.security.AccessController.getContext(),
                                   callbackHandler);
           } else {
               this.callbackHandler = callbackHandler;
           }
       }
   ```
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@uniffle.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to