HADOOP-13558. UserGroupInformation created from a Subject incorrectly tries to renew the Kerberos ticket. Contributed by Xiao Chen.

(cherry picked from commit 680be58aac)
(cherry picked from commit d157733082)

Conflicts:
	hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java
This commit is contained in:
Xiao Chen 2016-09-06 20:25:26 -07:00
parent a1cc90bca1
commit a7f1dc8aa8
2 changed files with 43 additions and 3 deletions

View File

@ -608,9 +608,24 @@ private void setLogin(LoginContext login) {
* @param subject the user's subject
*/
UserGroupInformation(Subject subject) {
this(subject, false);
}
/**
* Create a UGI from the given subject.
* @param subject the subject
* @param externalKeyTab if the subject's keytab is managed by the user.
* Setting this to true will prevent UGI from attempting
* to login the keytab, or to renew it.
*/
private UserGroupInformation(Subject subject, final boolean externalKeyTab) {
this.subject = subject;
this.user = subject.getPrincipals(User.class).iterator().next();
if (externalKeyTab) {
this.isKeytab = false;
} else {
this.isKeytab = KerberosUtil.hasKerberosKeyTab(subject);
}
this.isKrbTkt = KerberosUtil.hasKerberosTicket(subject);
}
@ -826,10 +841,11 @@ static void loginUserFromSubject(Subject subject) throws IOException {
newLoginContext(authenticationMethod.getLoginAppName(),
subject, new HadoopConfiguration());
login.login();
UserGroupInformation realUser = new UserGroupInformation(subject);
LOG.debug("Assuming keytab is managed externally since logged in from"
+ " subject.");
UserGroupInformation realUser = new UserGroupInformation(subject, true);
realUser.setLogin(login);
realUser.setAuthenticationMethod(authenticationMethod);
realUser = new UserGroupInformation(login.getSubject());
// If the HADOOP_PROXY_USER environment variable or property
// is specified, create a proxy user as the logged in user.
String proxyUser = System.getenv(HADOOP_PROXY_USER);

View File

@ -31,6 +31,7 @@
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KeyTab;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.LoginContext;
@ -930,4 +931,27 @@ public void run() {
}
}
}
@Test
public void testCheckTGTAfterLoginFromSubject() throws Exception {
// security on, default is remove default realm
SecurityUtil.setAuthenticationMethod(AuthenticationMethod.KERBEROS, conf);
UserGroupInformation.setConfiguration(conf);
// Login from a pre-set subject with a keytab
final Subject subject = new Subject();
KeyTab keytab = KeyTab.getInstance();
subject.getPrivateCredentials().add(keytab);
UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
ugi.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws IOException {
UserGroupInformation.loginUserFromSubject(subject);
// this should not throw.
UserGroupInformation.getLoginUser().checkTGTAndReloginFromKeytab();
return null;
}
});
}
}