HADOOP-13558. UserGroupInformation created from a Subject incorrectly tries to renew the Kerberos ticket. Contributed by Xiao Chen.
(cherry picked from commit680be58aac
) (cherry picked from commitd157733082
) Conflicts: hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java (cherry picked from commita7f1dc8aa8
) Conflicts: hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java
This commit is contained in:
parent
a8b7817739
commit
81ac06039e
|
@ -605,9 +605,24 @@ public class UserGroupInformation {
|
||||||
* @param subject the user's subject
|
* @param subject the user's subject
|
||||||
*/
|
*/
|
||||||
UserGroupInformation(Subject subject) {
|
UserGroupInformation(Subject subject) {
|
||||||
|
this(subject, false);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Create a UGI from the given subject.
|
||||||
|
* @param subject the subject
|
||||||
|
* @param externalKeyTab if the subject's keytab is managed by the user.
|
||||||
|
* Setting this to true will prevent UGI from attempting
|
||||||
|
* to login the keytab, or to renew it.
|
||||||
|
*/
|
||||||
|
private UserGroupInformation(Subject subject, final boolean externalKeyTab) {
|
||||||
this.subject = subject;
|
this.subject = subject;
|
||||||
this.user = subject.getPrincipals(User.class).iterator().next();
|
this.user = subject.getPrincipals(User.class).iterator().next();
|
||||||
this.isKeytab = !subject.getPrivateCredentials(KeyTab.class).isEmpty();
|
if (externalKeyTab) {
|
||||||
|
this.isKeytab = false;
|
||||||
|
} else {
|
||||||
|
this.isKeytab = !subject.getPrivateCredentials(KeyTab.class).isEmpty();
|
||||||
|
}
|
||||||
this.isKrbTkt = !subject.getPrivateCredentials(KerberosTicket.class).isEmpty();
|
this.isKrbTkt = !subject.getPrivateCredentials(KerberosTicket.class).isEmpty();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -797,10 +812,11 @@ public class UserGroupInformation {
|
||||||
newLoginContext(authenticationMethod.getLoginAppName(),
|
newLoginContext(authenticationMethod.getLoginAppName(),
|
||||||
subject, new HadoopConfiguration());
|
subject, new HadoopConfiguration());
|
||||||
login.login();
|
login.login();
|
||||||
UserGroupInformation realUser = new UserGroupInformation(subject);
|
LOG.debug("Assuming keytab is managed externally since logged in from"
|
||||||
|
+ " subject.");
|
||||||
|
UserGroupInformation realUser = new UserGroupInformation(subject, true);
|
||||||
realUser.setLogin(login);
|
realUser.setLogin(login);
|
||||||
realUser.setAuthenticationMethod(authenticationMethod);
|
realUser.setAuthenticationMethod(authenticationMethod);
|
||||||
realUser = new UserGroupInformation(login.getSubject());
|
|
||||||
// If the HADOOP_PROXY_USER environment variable or property
|
// If the HADOOP_PROXY_USER environment variable or property
|
||||||
// is specified, create a proxy user as the logged in user.
|
// is specified, create a proxy user as the logged in user.
|
||||||
String proxyUser = System.getenv(HADOOP_PROXY_USER);
|
String proxyUser = System.getenv(HADOOP_PROXY_USER);
|
||||||
|
|
|
@ -31,6 +31,7 @@ import org.junit.*;
|
||||||
|
|
||||||
import javax.security.auth.Subject;
|
import javax.security.auth.Subject;
|
||||||
import javax.security.auth.kerberos.KerberosPrincipal;
|
import javax.security.auth.kerberos.KerberosPrincipal;
|
||||||
|
import javax.security.auth.kerberos.KeyTab;
|
||||||
import javax.security.auth.login.AppConfigurationEntry;
|
import javax.security.auth.login.AppConfigurationEntry;
|
||||||
import javax.security.auth.login.LoginContext;
|
import javax.security.auth.login.LoginContext;
|
||||||
|
|
||||||
|
@ -892,4 +893,27 @@ public class TestUserGroupInformation {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testCheckTGTAfterLoginFromSubject() throws Exception {
|
||||||
|
// security on, default is remove default realm
|
||||||
|
SecurityUtil.setAuthenticationMethod(AuthenticationMethod.KERBEROS, conf);
|
||||||
|
UserGroupInformation.setConfiguration(conf);
|
||||||
|
|
||||||
|
// Login from a pre-set subject with a keytab
|
||||||
|
final Subject subject = new Subject();
|
||||||
|
KeyTab keytab = KeyTab.getInstance();
|
||||||
|
subject.getPrivateCredentials().add(keytab);
|
||||||
|
UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
|
||||||
|
ugi.doAs(new PrivilegedExceptionAction<Void>() {
|
||||||
|
@Override
|
||||||
|
public Void run() throws IOException {
|
||||||
|
UserGroupInformation.loginUserFromSubject(subject);
|
||||||
|
// this should not throw.
|
||||||
|
UserGroupInformation.getLoginUser().checkTGTAndReloginFromKeytab();
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue