Revert "HADOOP-17159 Ability for forceful relogin in UserGroupInformation class (#2197)"

This reverts commit a932796d0c.
This commit is contained in:
Mingliang Liu 2020-08-26 10:41:00 -07:00 committed by GitHub
parent 931adbaa14
commit b7745b00b2
2 changed files with 7 additions and 64 deletions

View File

@ -1232,26 +1232,7 @@ public class UserGroupInformation {
reloginFromKeytab(false);
}
/**
* Force re-Login a user in from a keytab file. Loads a user identity from a
* keytab file and logs them in. They become the currently logged-in user.
* This method assumes that {@link #loginUserFromKeytab(String, String)} had
* happened already. The Subject field of this UserGroupInformation object is
* updated to have the new credentials.
*
* @param ignoreTimeElapsed Force re-login irrespective of the time of last
* login
* @throws IOException
* @throws KerberosAuthException on a failure
*/
@InterfaceAudience.Public
@InterfaceStability.Evolving
public void reloginFromKeytab(boolean ignoreTimeElapsed) throws IOException {
reloginFromKeytab(false, ignoreTimeElapsed);
}
private void reloginFromKeytab(boolean checkTGT, boolean ignoreTimeElapsed)
throws IOException {
private void reloginFromKeytab(boolean checkTGT) throws IOException {
if (!shouldRelogin() || !isFromKeytab()) {
return;
}
@ -1266,7 +1247,7 @@ public class UserGroupInformation {
return;
}
}
relogin(login, ignoreTimeElapsed);
relogin(login);
}
/**
@ -1287,27 +1268,25 @@ public class UserGroupInformation {
if (login == null) {
throw new KerberosAuthException(MUST_FIRST_LOGIN);
}
relogin(login, false);
relogin(login);
}
private void relogin(HadoopLoginContext login, boolean ignoreTimeElapsed)
throws IOException {
private void relogin(HadoopLoginContext login) throws IOException {
// ensure the relogin is atomic to avoid leaving credentials in an
// inconsistent state. prevents other ugi instances, SASL, and SPNEGO
// from accessing or altering credentials during the relogin.
synchronized(login.getSubjectLock()) {
// another racing thread may have beat us to the relogin.
if (login == getLogin()) {
unprotectedRelogin(login, ignoreTimeElapsed);
unprotectedRelogin(login);
}
}
}
private void unprotectedRelogin(HadoopLoginContext login,
boolean ignoreTimeElapsed) throws IOException {
private void unprotectedRelogin(HadoopLoginContext login) throws IOException {
assert Thread.holdsLock(login.getSubjectLock());
long now = Time.now();
if (!hasSufficientTimeElapsed(now) && !ignoreTimeElapsed) {
if (!hasSufficientTimeElapsed(now)) {
return;
}
// register most recent relogin attempt

View File

@ -158,42 +158,6 @@ public class TestUGILoginFromKeytab {
Assert.assertNotSame(login1, login2);
}
/**
* Force re-login from keytab using the MiniKDC and verify the UGI can
* successfully relogin from keytab as well.
*/
@Test
public void testUGIForceReLoginFromKeytab() throws Exception {
// Set this to false as we are testing force re-login anyways
UserGroupInformation.setShouldRenewImmediatelyForTests(false);
String principal = "foo";
File keytab = new File(workDir, "foo.keytab");
kdc.createPrincipal(keytab, principal);
UserGroupInformation.loginUserFromKeytab(principal, keytab.getPath());
UserGroupInformation ugi = UserGroupInformation.getLoginUser();
Assert.assertTrue("UGI should be configured to login from keytab",
ugi.isFromKeytab());
// Verify relogin from keytab.
User user = getUser(ugi.getSubject());
final long firstLogin = user.getLastLogin();
final LoginContext login1 = user.getLogin();
Assert.assertNotNull(login1);
// Sleep for 2 secs to have a difference between first and second login
Thread.sleep(2000);
// Force relogin from keytab
ugi.reloginFromKeytab(true);
final long secondLogin = user.getLastLogin();
final LoginContext login2 = user.getLogin();
Assert.assertTrue("User should have been able to relogin from keytab",
secondLogin > firstLogin);
Assert.assertNotNull(login2);
Assert.assertNotSame(login1, login2);
}
@Test
public void testGetUGIFromKnownSubject() throws Exception {
KerberosPrincipal principal = new KerberosPrincipal("user");