From 9f94c9e60dc5e663774c6bd3ef601b4d38039377 Mon Sep 17 00:00:00 2001 From: Mingliang Liu Date: Wed, 26 Aug 2020 11:24:03 -0700 Subject: [PATCH] Revert "HADOOP-17159 Ability for forceful relogin in UserGroupInformation class (#2197)" This reverts commit 12fb9e0600f665aca3e7ebe0be9b95ff232d520f. --- .../hadoop/security/UserGroupInformation.java | 35 ++++-------------- .../security/TestUGILoginFromKeytab.java | 36 ------------------- 2 files changed, 7 insertions(+), 64 deletions(-) diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java index 2471e0aa47b..0e4168cc479 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java @@ -1115,26 +1115,7 @@ public class UserGroupInformation { reloginFromKeytab(false); } - /** - * Force re-Login a user in from a keytab file. Loads a user identity from a - * keytab file and logs them in. They become the currently logged-in user. - * This method assumes that {@link #loginUserFromKeytab(String, String)} had - * happened already. The Subject field of this UserGroupInformation object is - * updated to have the new credentials. - * - * @param ignoreTimeElapsed Force re-login irrespective of the time of last - * login - * @throws IOException - * @throws KerberosAuthException on a failure - */ - @InterfaceAudience.Public - @InterfaceStability.Evolving - public void reloginFromKeytab(boolean ignoreTimeElapsed) throws IOException { - reloginFromKeytab(false, ignoreTimeElapsed); - } - - private void reloginFromKeytab(boolean checkTGT, boolean ignoreTimeElapsed) - throws IOException { + private void reloginFromKeytab(boolean checkTGT) throws IOException { if (!shouldRelogin() || !isFromKeytab()) { return; } @@ -1149,7 +1130,7 @@ public class UserGroupInformation { return; } } - relogin(login, ignoreTimeElapsed); + relogin(login); } /** @@ -1170,27 +1151,25 @@ public class UserGroupInformation { if (login == null) { throw new KerberosAuthException(MUST_FIRST_LOGIN); } - relogin(login, false); + relogin(login); } - private void relogin(HadoopLoginContext login, boolean ignoreTimeElapsed) - throws IOException { + private void relogin(HadoopLoginContext login) throws IOException { // ensure the relogin is atomic to avoid leaving credentials in an // inconsistent state. prevents other ugi instances, SASL, and SPNEGO // from accessing or altering credentials during the relogin. synchronized(login.getSubjectLock()) { // another racing thread may have beat us to the relogin. if (login == getLogin()) { - unprotectedRelogin(login, ignoreTimeElapsed); + unprotectedRelogin(login); } } } - private void unprotectedRelogin(HadoopLoginContext login, - boolean ignoreTimeElapsed) throws IOException { + private void unprotectedRelogin(HadoopLoginContext login) throws IOException { assert Thread.holdsLock(login.getSubjectLock()); long now = Time.now(); - if (!hasSufficientTimeElapsed(now) && !ignoreTimeElapsed) { + if (!hasSufficientTimeElapsed(now)) { return; } // register most recent relogin attempt diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUGILoginFromKeytab.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUGILoginFromKeytab.java index 7e2c250d5e3..bf4a2ccd05a 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUGILoginFromKeytab.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUGILoginFromKeytab.java @@ -154,42 +154,6 @@ public class TestUGILoginFromKeytab { Assert.assertNotSame(login1, login2); } - /** - * Force re-login from keytab using the MiniKDC and verify the UGI can - * successfully relogin from keytab as well. - */ - @Test - public void testUGIForceReLoginFromKeytab() throws Exception { - // Set this to false as we are testing force re-login anyways - UserGroupInformation.setShouldRenewImmediatelyForTests(false); - String principal = "foo"; - File keytab = new File(workDir, "foo.keytab"); - kdc.createPrincipal(keytab, principal); - - UserGroupInformation.loginUserFromKeytab(principal, keytab.getPath()); - UserGroupInformation ugi = UserGroupInformation.getLoginUser(); - Assert.assertTrue("UGI should be configured to login from keytab", - ugi.isFromKeytab()); - - // Verify relogin from keytab. - User user = getUser(ugi.getSubject()); - final long firstLogin = user.getLastLogin(); - final LoginContext login1 = user.getLogin(); - Assert.assertNotNull(login1); - - // Sleep for 2 secs to have a difference between first and second login - Thread.sleep(2000); - - // Force relogin from keytab - ugi.reloginFromKeytab(true); - final long secondLogin = user.getLastLogin(); - final LoginContext login2 = user.getLogin(); - Assert.assertTrue("User should have been able to relogin from keytab", - secondLogin > firstLogin); - Assert.assertNotNull(login2); - Assert.assertNotSame(login1, login2); - } - @Test public void testGetUGIFromKnownSubject() throws Exception { KerberosPrincipal principal = new KerberosPrincipal("user");