HADOOP-10342. Merging branch-2 equivalent of commit 1568525 from trunk

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1598754 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Suresh Srinivas 2014-05-30 21:56:58 +00:00
parent 0214a435a5
commit c5c3241da8
4 changed files with 53 additions and 2 deletions

View File

@ -171,6 +171,9 @@ Release 2.5.0 - UNRELEASED
HADOOP-10638. Updating hadoop-daemon.sh to work as expected when nfs is
started as a privileged user. (Manikandan Narayanaswamy via atm)
HADOOP-10342. Add a new method to UGI to use a Kerberos login subject to
build a new UGI. (Larry McCay via omalley)
Release 2.4.1 - UNRELEASED
INCOMPATIBLE CHANGES

View File

@ -652,7 +652,7 @@ public class Client {
// try re-login
if (UserGroupInformation.isLoginKeytabBased()) {
UserGroupInformation.getLoginUser().reloginFromKeytab();
} else {
} else if (UserGroupInformation.isLoginTicketBased()) {
UserGroupInformation.getLoginUser().reloginFromTicketCache();
}
// have granularity of milliseconds

View File

@ -692,6 +692,35 @@ public class UserGroupInformation {
}
}
/**
* Create a UserGroupInformation from a Subject with Kerberos principal.
*
* @param user The KerberosPrincipal to use in UGI
*
* @throws IOException if the kerberos login fails
*/
public static UserGroupInformation getUGIFromSubject(Subject subject)
throws IOException {
if (subject == null) {
throw new IOException("Subject must not be null");
}
if (subject.getPrincipals(KerberosPrincipal.class).isEmpty()) {
throw new IOException("Provided Subject must contain a KerberosPrincipal");
}
KerberosPrincipal principal =
subject.getPrincipals(KerberosPrincipal.class).iterator().next();
User ugiUser = new User(principal.getName(),
AuthenticationMethod.KERBEROS, null);
subject.getPrincipals().add(ugiUser);
UserGroupInformation ugi = new UserGroupInformation(subject);
ugi.setLogin(null);
ugi.setAuthenticationMethod(AuthenticationMethod.KERBEROS);
return ugi;
}
/**
* Get the currently logged in user.
* @return the logged in user
@ -1099,6 +1128,14 @@ public class UserGroupInformation {
return getLoginUser().isKeytab;
}
/**
* Did the login happen via ticket cache
* @return true or false
*/
public static boolean isLoginTicketBased() throws IOException {
return getLoginUser().isKrbTkt;
}
/**
* Create a user from a login name. It is intended to be used for remote
* users in RPC, since it won't have any credentials.

View File

@ -28,6 +28,7 @@ import org.apache.hadoop.util.Shell;
import org.junit.*;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.LoginContext;
import java.io.BufferedReader;
@ -767,7 +768,17 @@ public class TestUserGroupInformation {
}
});
}
@Test (timeout = 30000)
public void testGetUGIFromSubject() throws Exception {
KerberosPrincipal p = new KerberosPrincipal("guest");
Subject subject = new Subject();
subject.getPrincipals().add(p);
UserGroupInformation ugi = UserGroupInformation.getUGIFromSubject(subject);
assertNotNull(ugi);
assertEquals("guest@DEFAULT.REALM", ugi.getUserName());
}
@Test(timeout=1000)
public void testSetLoginUser() throws IOException {
UserGroupInformation ugi = UserGroupInformation.createRemoteUser("test-user");