HADOOP-17432. [JDK 16] KerberosUtil#getOidInstance is broken by JEP 396 (#2546)

Reviewed-by: Steve Loughran <stevel@apache.org>
(cherry picked from commit 52217fce3d)
This commit is contained in:
Akira Ajisaka 2021-02-05 16:14:10 +09:00
parent ae80fc2477
commit bdd22b61c2
No known key found for this signature in database
GPG Key ID: C1EDBB9CA400FD50
4 changed files with 31 additions and 33 deletions

View File

@ -22,7 +22,6 @@ import static org.apache.hadoop.util.PlatformName.IBM_JAVA;
import java.io.File; import java.io.File;
import java.io.IOException; import java.io.IOException;
import java.io.UnsupportedEncodingException; import java.io.UnsupportedEncodingException;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException; import java.lang.reflect.InvocationTargetException;
import java.net.InetAddress; import java.net.InetAddress;
import java.net.UnknownHostException; import java.net.UnknownHostException;
@ -73,21 +72,29 @@ public class KerberosUtil {
} }
} }
/**
* Returns the Oid instance from string oidName.
* Use {@link GSS_SPNEGO_MECH_OID}, {@link GSS_KRB5_MECH_OID},
* or {@link NT_GSS_KRB5_PRINCIPAL_OID} instead.
*
* @return Oid instance
* @param oidName The oid Name
* @throws NoSuchFieldException if the input is not supported.
*/
@Deprecated
public static Oid getOidInstance(String oidName) public static Oid getOidInstance(String oidName)
throws ClassNotFoundException, GSSException, NoSuchFieldException, throws NoSuchFieldException {
IllegalAccessException { switch (oidName) {
Class<?> oidClass; case "GSS_SPNEGO_MECH_OID":
if (IBM_JAVA) { return GSS_SPNEGO_MECH_OID;
if ("NT_GSS_KRB5_PRINCIPAL".equals(oidName)) { case "GSS_KRB5_MECH_OID":
// IBM JDK GSSUtil class does not have field for krb5 principal oid return GSS_KRB5_MECH_OID;
return new Oid("1.2.840.113554.1.2.2.1"); case "NT_GSS_KRB5_PRINCIPAL":
} return NT_GSS_KRB5_PRINCIPAL_OID;
oidClass = Class.forName("com.ibm.security.jgss.GSSUtil"); default:
} else { throw new NoSuchFieldException(
oidClass = Class.forName("sun.security.jgss.GSSUtil"); "oidName: " + oidName + " is not supported.");
} }
Field oidField = oidClass.getDeclaredField(oidName);
return (Oid)oidField.get(oidClass);
} }
/** /**

View File

@ -301,11 +301,10 @@ public class TestKerberosAuthenticationHandler
GSSContext gssContext = null; GSSContext gssContext = null;
try { try {
String servicePrincipal = KerberosTestUtils.getServerPrincipal(); String servicePrincipal = KerberosTestUtils.getServerPrincipal();
Oid oid = Oid oid = KerberosUtil.NT_GSS_KRB5_PRINCIPAL_OID;
KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL");
GSSName serviceName = gssManager.createName(servicePrincipal, GSSName serviceName = gssManager.createName(servicePrincipal,
oid); oid);
oid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID"); oid = KerberosUtil.GSS_KRB5_MECH_OID;
gssContext = gssManager.createContext(serviceName, oid, null, gssContext = gssManager.createContext(serviceName, oid, null,
GSSContext.DEFAULT_LIFETIME); GSSContext.DEFAULT_LIFETIME);
gssContext.requestCredDeleg(true); gssContext.requestCredDeleg(true);

View File

@ -30,12 +30,10 @@ import javax.ws.rs.core.MediaType;
import org.apache.commons.codec.binary.Base64; import org.apache.commons.codec.binary.Base64;
import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.client.AuthenticationException; import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.hadoop.security.authentication.util.KerberosUtil;
import org.ietf.jgss.GSSContext; import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSException; import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager; import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName; import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
@ -72,8 +70,6 @@ public class HttpUtil {
@Override @Override
public String run() throws Exception { public String run() throws Exception {
try { try {
// This Oid for Kerberos GSS-API mechanism.
Oid mechOid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID");
GSSManager manager = GSSManager.getInstance(); GSSManager manager = GSSManager.getInstance();
// GSS name for server // GSS name for server
GSSName serverName = manager.createName("HTTP@" + server, GSSName serverName = manager.createName("HTTP@" + server,
@ -81,8 +77,9 @@ public class HttpUtil {
// Create a GSSContext for authentication with the service. // Create a GSSContext for authentication with the service.
// We're passing client credentials as null since we want them to // We're passing client credentials as null since we want them to
// be read from the Subject. // be read from the Subject.
// We're passing Oid as null to use the default.
GSSContext gssContext = manager.createContext( GSSContext gssContext = manager.createContext(
serverName.canonicalize(mechOid), mechOid, null, serverName.canonicalize(null), null, null,
GSSContext.DEFAULT_LIFETIME); GSSContext.DEFAULT_LIFETIME);
gssContext.requestMutualAuth(true); gssContext.requestMutualAuth(true);
gssContext.requestCredDeleg(true); gssContext.requestCredDeleg(true);
@ -95,9 +92,8 @@ public class HttpUtil {
LOG.debug("Got valid challenge for host {}", serverName); LOG.debug("Got valid challenge for host {}", serverName);
return new String(BASE_64_CODEC.encode(outToken), return new String(BASE_64_CODEC.encode(outToken),
StandardCharsets.US_ASCII); StandardCharsets.US_ASCII);
} catch (GSSException | IllegalAccessException } catch (GSSException e) {
| NoSuchFieldException | ClassNotFoundException e) { LOG.error("Error: ", e);
LOG.error("Error: {}", e);
throw new AuthenticationException(e); throw new AuthenticationException(e);
} }
} }

View File

@ -31,7 +31,6 @@ import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.SecurityUtil; import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.client.AuthenticationException; import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.hadoop.security.authentication.util.KerberosUtil;
import org.apache.hadoop.yarn.api.records.NodeLabel; import org.apache.hadoop.yarn.api.records.NodeLabel;
import org.apache.hadoop.yarn.conf.HAUtil; import org.apache.hadoop.yarn.conf.HAUtil;
import org.apache.hadoop.yarn.conf.YarnConfiguration; import org.apache.hadoop.yarn.conf.YarnConfiguration;
@ -39,7 +38,6 @@ import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSException; import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager; import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName; import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
@ -222,8 +220,6 @@ public abstract class YarnClientUtils {
@Override @Override
public String run() throws Exception { public String run() throws Exception {
try { try {
// This Oid for Kerberos GSS-API mechanism.
Oid mechOid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID");
GSSManager manager = GSSManager.getInstance(); GSSManager manager = GSSManager.getInstance();
// GSS name for server // GSS name for server
GSSName serverName = manager.createName("HTTP@" + server, GSSName serverName = manager.createName("HTTP@" + server,
@ -231,8 +227,9 @@ public abstract class YarnClientUtils {
// Create a GSSContext for authentication with the service. // Create a GSSContext for authentication with the service.
// We're passing client credentials as null since we want them to // We're passing client credentials as null since we want them to
// be read from the Subject. // be read from the Subject.
// We're passing Oid as null to use the default.
GSSContext gssContext = manager.createContext( GSSContext gssContext = manager.createContext(
serverName.canonicalize(mechOid), mechOid, null, serverName.canonicalize(null), null, null,
GSSContext.DEFAULT_LIFETIME); GSSContext.DEFAULT_LIFETIME);
gssContext.requestMutualAuth(true); gssContext.requestMutualAuth(true);
gssContext.requestCredDeleg(true); gssContext.requestCredDeleg(true);
@ -245,8 +242,7 @@ public abstract class YarnClientUtils {
LOG.debug("Got valid challenge for host {}", serverName); LOG.debug("Got valid challenge for host {}", serverName);
return new String(BASE_64_CODEC.encode(outToken), return new String(BASE_64_CODEC.encode(outToken),
StandardCharsets.US_ASCII); StandardCharsets.US_ASCII);
} catch (GSSException | IllegalAccessException } catch (GSSException e) {
| NoSuchFieldException | ClassNotFoundException e) {
LOG.error("Error: ", e); LOG.error("Error: ", e);
throw new AuthenticationException(e); throw new AuthenticationException(e);
} }