HADOOP-13081. add the ability to create multiple UGIs/subjects from one kerberos login. Contributed by Sergey Shelukhin.
This commit is contained in:
parent
3818393297
commit
0458a2af6e
|
@ -38,6 +38,7 @@ import java.util.Arrays;
|
||||||
import java.util.Collection;
|
import java.util.Collection;
|
||||||
import java.util.Collections;
|
import java.util.Collections;
|
||||||
import java.util.HashMap;
|
import java.util.HashMap;
|
||||||
|
import java.util.HashSet;
|
||||||
import java.util.Iterator;
|
import java.util.Iterator;
|
||||||
import java.util.LinkedHashSet;
|
import java.util.LinkedHashSet;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
@ -638,6 +639,32 @@ public class UserGroupInformation {
|
||||||
this.isKrbTkt = KerberosUtil.hasKerberosTicket(subject);
|
this.isKrbTkt = KerberosUtil.hasKerberosTicket(subject);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Copies the Subject of this UGI and creates a new UGI with the new subject.
|
||||||
|
* This can be used to add credentials (e.g. tokens) to different copies of
|
||||||
|
* the same UGI, allowing multiple users with different tokens to reuse the
|
||||||
|
* UGI without re-authenticating with Kerberos.
|
||||||
|
* @return clone of the UGI with a new subject.
|
||||||
|
*/
|
||||||
|
@InterfaceAudience.Public
|
||||||
|
@InterfaceStability.Evolving
|
||||||
|
public UserGroupInformation copySubjectAndUgi() {
|
||||||
|
Subject subj = getSubject();
|
||||||
|
// The ctor will set other fields automatically from the principals.
|
||||||
|
return new UserGroupInformation(new Subject(false, subj.getPrincipals(),
|
||||||
|
cloneCredentials(subj.getPublicCredentials()),
|
||||||
|
cloneCredentials(subj.getPrivateCredentials())));
|
||||||
|
}
|
||||||
|
|
||||||
|
private static Set<Object> cloneCredentials(Set<Object> old) {
|
||||||
|
Set<Object> set = new HashSet<>();
|
||||||
|
// Make sure Hadoop credentials objects do not reuse the maps.
|
||||||
|
for (Object o : old) {
|
||||||
|
set.add(o instanceof Credentials ? new Credentials((Credentials)o) : o);
|
||||||
|
}
|
||||||
|
return set;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* checks if logged in using kerberos
|
* checks if logged in using kerberos
|
||||||
* @return true if the subject logged via keytab or has a Kerberos TGT
|
* @return true if the subject logged via keytab or has a Kerberos TGT
|
||||||
|
|
|
@ -44,6 +44,7 @@ import java.security.PrivilegedExceptionAction;
|
||||||
import java.util.Collection;
|
import java.util.Collection;
|
||||||
import java.util.ConcurrentModificationException;
|
import java.util.ConcurrentModificationException;
|
||||||
import java.util.LinkedHashSet;
|
import java.util.LinkedHashSet;
|
||||||
|
import java.util.List;
|
||||||
import java.util.Set;
|
import java.util.Set;
|
||||||
|
|
||||||
import static org.apache.hadoop.fs.CommonConfigurationKeys.HADOOP_USER_GROUP_METRICS_PERCENTILES_INTERVALS;
|
import static org.apache.hadoop.fs.CommonConfigurationKeys.HADOOP_USER_GROUP_METRICS_PERCENTILES_INTERVALS;
|
||||||
|
@ -877,6 +878,32 @@ public class TestUserGroupInformation {
|
||||||
assertEquals(1, tokens.size());
|
assertEquals(1, tokens.size());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test(timeout = 30000)
|
||||||
|
public void testCopySubjectAndUgi() throws IOException {
|
||||||
|
SecurityUtil.setAuthenticationMethod(AuthenticationMethod.SIMPLE, conf);
|
||||||
|
UserGroupInformation.setConfiguration(conf);
|
||||||
|
UserGroupInformation u1 = UserGroupInformation.getLoginUser();
|
||||||
|
assertNotNull(u1);
|
||||||
|
@SuppressWarnings("unchecked")
|
||||||
|
Token<? extends TokenIdentifier> tmpToken = mock(Token.class);
|
||||||
|
u1.addToken(tmpToken);
|
||||||
|
|
||||||
|
UserGroupInformation u2 = u1.copySubjectAndUgi();
|
||||||
|
assertEquals(u1.getAuthenticationMethod(), u2.getAuthenticationMethod());
|
||||||
|
assertNotSame(u1.getSubject(), u2.getSubject());
|
||||||
|
Credentials c1 = u1.getCredentials(), c2 = u2.getCredentials();
|
||||||
|
List<Text> sc1 = c1.getAllSecretKeys(), sc2 = c2.getAllSecretKeys();
|
||||||
|
assertArrayEquals(sc1.toArray(new Text[0]), sc2.toArray(new Text[0]));
|
||||||
|
Collection<Token<? extends TokenIdentifier>> ts1 = c1.getAllTokens(),
|
||||||
|
ts2 = c2.getAllTokens();
|
||||||
|
assertArrayEquals(ts1.toArray(new Token[0]), ts2.toArray(new Token[0]));
|
||||||
|
@SuppressWarnings("unchecked")
|
||||||
|
Token<? extends TokenIdentifier> token = mock(Token.class);
|
||||||
|
u2.addToken(token);
|
||||||
|
assertTrue(u2.getCredentials().getAllTokens().contains(token));
|
||||||
|
assertFalse(u1.getCredentials().getAllTokens().contains(token));
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* This test checks a race condition between getting and adding tokens for
|
* This test checks a race condition between getting and adding tokens for
|
||||||
* the current user. Calling UserGroupInformation.getCurrentUser() returns
|
* the current user. Calling UserGroupInformation.getCurrentUser() returns
|
||||||
|
|
Loading…
Reference in New Issue