HADOOP-6649. login object in UGI should be inside the subject (jnp via boryas)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@951618 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Boris Shkolnik 2010-06-05 00:10:13 +00:00
parent bb29ad17db
commit 56b15e9e8f
4 changed files with 56 additions and 6 deletions

View File

@ -65,6 +65,8 @@ Trunk (unreleased changes)
glob pattern code less restrictive and more POSIX standard
compliant. (Luke Lu via eli)
HADOOP-6649. login object in UGI should be inside the subject (jnp via boryas)
Release 0.21.0 - Unreleased
INCOMPATIBLE CHANGES

View File

@ -19,6 +19,8 @@ package org.apache.hadoop.security;
import java.security.Principal;
import javax.security.auth.login.LoginContext;
import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
/**
@ -29,12 +31,13 @@ class User implements Principal {
private final String fullName;
private final String shortName;
private AuthenticationMethod authMethod = null;
private LoginContext login = null;
public User(String name) {
this(name, null);
this(name, null, null);
}
public User(String name, AuthenticationMethod authMethod) {
public User(String name, AuthenticationMethod authMethod, LoginContext login) {
fullName = name;
int atIdx = name.indexOf('@');
if (atIdx == -1) {
@ -48,6 +51,7 @@ class User implements Principal {
}
}
this.authMethod = authMethod;
this.login = login;
}
/**
@ -94,4 +98,20 @@ class User implements Principal {
public AuthenticationMethod getAuthenticationMethod() {
return authMethod;
}
/**
* Returns login object
* @return login
*/
public LoginContext getLogin() {
return login;
}
/**
* Set the login object
* @param login
*/
public void setLogin(LoginContext login) {
this.login = login;
}
}

View File

@ -206,8 +206,6 @@ public class UserGroupInformation {
private final Subject subject;
private LoginContext login;
private static final String OS_LOGIN_MODULE_NAME;
private static final Class<? extends Principal> OS_PRINCIPAL_CLASS;
private static final boolean windows =
@ -331,6 +329,19 @@ public class UserGroupInformation {
}
}
private LoginContext getLogin() {
for (User p: subject.getPrincipals(User.class)) {
return p.getLogin();
}
return null;
}
private void setLogin(LoginContext login) {
for (User p: subject.getPrincipals(User.class)) {
p.setLogin(login);
}
}
/**
* Create a UserGroupInformation for the given subject.
* This does not change the subject or acquire new credentials.
@ -371,7 +382,7 @@ public class UserGroupInformation {
subject);
}
login.login();
loginUser.login = login;
loginUser.setLogin(login);
loginUser = new UserGroupInformation(login.getSubject());
String tokenFile = System.getenv(HADOOP_TOKEN_FILE_LOCATION);
if (tokenFile != null && isSecurityEnabled()) {
@ -407,7 +418,7 @@ public class UserGroupInformation {
new LoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, subject);
login.login();
loginUser = new UserGroupInformation(subject);
loginUser.login = login;
loginUser.setLogin(login);
} catch (LoginException le) {
throw new IOException("Login failure for " + user + " from keytab " +
path, le);
@ -427,6 +438,7 @@ public class UserGroupInformation {
throws IOException {
if (!isSecurityEnabled())
return;
LoginContext login = getLogin();
if (login == null || keytabFile == null) {
throw new IOException("loginUserFromKeyTab must be done first");
}
@ -452,6 +464,7 @@ public class UserGroupInformation {
getSubject());
LOG.info("Initiating re-login for " + keytabPrincipal);
login.login();
setLogin(login);
} catch (LoginException le) {
throw new IOException("Login failure for " + keytabPrincipal +
" from keytab " + keytabFile, le);

View File

@ -32,6 +32,8 @@ import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import javax.security.auth.login.LoginContext;
import junit.framework.Assert;
import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
@ -287,4 +289,17 @@ public class TestUserGroupInformation {
"proxyAnother", realugi);
Assert.assertEquals(proxyUgi3, proxyUgi4);
}
@Test
public void testLoginObjectInSubject() throws Exception {
UserGroupInformation loginUgi = UserGroupInformation.getLoginUser();
UserGroupInformation anotherUgi = new UserGroupInformation(loginUgi
.getSubject());
LoginContext login1 = loginUgi.getSubject().getPrincipals(User.class)
.iterator().next().getLogin();
LoginContext login2 = anotherUgi.getSubject().getPrincipals(User.class)
.iterator().next().getLogin();
//login1 and login2 must be same instances
Assert.assertTrue(login1 == login2);
}
}