HADOOP-10342. Merging branch-2 equivalent of commit 1568525 from trunk
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1598754 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
0214a435a5
commit
c5c3241da8
|
@ -171,6 +171,9 @@ Release 2.5.0 - UNRELEASED
|
||||||
HADOOP-10638. Updating hadoop-daemon.sh to work as expected when nfs is
|
HADOOP-10638. Updating hadoop-daemon.sh to work as expected when nfs is
|
||||||
started as a privileged user. (Manikandan Narayanaswamy via atm)
|
started as a privileged user. (Manikandan Narayanaswamy via atm)
|
||||||
|
|
||||||
|
HADOOP-10342. Add a new method to UGI to use a Kerberos login subject to
|
||||||
|
build a new UGI. (Larry McCay via omalley)
|
||||||
|
|
||||||
Release 2.4.1 - UNRELEASED
|
Release 2.4.1 - UNRELEASED
|
||||||
|
|
||||||
INCOMPATIBLE CHANGES
|
INCOMPATIBLE CHANGES
|
||||||
|
|
|
@ -652,7 +652,7 @@ public class Client {
|
||||||
// try re-login
|
// try re-login
|
||||||
if (UserGroupInformation.isLoginKeytabBased()) {
|
if (UserGroupInformation.isLoginKeytabBased()) {
|
||||||
UserGroupInformation.getLoginUser().reloginFromKeytab();
|
UserGroupInformation.getLoginUser().reloginFromKeytab();
|
||||||
} else {
|
} else if (UserGroupInformation.isLoginTicketBased()) {
|
||||||
UserGroupInformation.getLoginUser().reloginFromTicketCache();
|
UserGroupInformation.getLoginUser().reloginFromTicketCache();
|
||||||
}
|
}
|
||||||
// have granularity of milliseconds
|
// have granularity of milliseconds
|
||||||
|
|
|
@ -692,6 +692,35 @@ public class UserGroupInformation {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Create a UserGroupInformation from a Subject with Kerberos principal.
|
||||||
|
*
|
||||||
|
* @param user The KerberosPrincipal to use in UGI
|
||||||
|
*
|
||||||
|
* @throws IOException if the kerberos login fails
|
||||||
|
*/
|
||||||
|
public static UserGroupInformation getUGIFromSubject(Subject subject)
|
||||||
|
throws IOException {
|
||||||
|
if (subject == null) {
|
||||||
|
throw new IOException("Subject must not be null");
|
||||||
|
}
|
||||||
|
|
||||||
|
if (subject.getPrincipals(KerberosPrincipal.class).isEmpty()) {
|
||||||
|
throw new IOException("Provided Subject must contain a KerberosPrincipal");
|
||||||
|
}
|
||||||
|
|
||||||
|
KerberosPrincipal principal =
|
||||||
|
subject.getPrincipals(KerberosPrincipal.class).iterator().next();
|
||||||
|
|
||||||
|
User ugiUser = new User(principal.getName(),
|
||||||
|
AuthenticationMethod.KERBEROS, null);
|
||||||
|
subject.getPrincipals().add(ugiUser);
|
||||||
|
UserGroupInformation ugi = new UserGroupInformation(subject);
|
||||||
|
ugi.setLogin(null);
|
||||||
|
ugi.setAuthenticationMethod(AuthenticationMethod.KERBEROS);
|
||||||
|
return ugi;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Get the currently logged in user.
|
* Get the currently logged in user.
|
||||||
* @return the logged in user
|
* @return the logged in user
|
||||||
|
@ -1099,6 +1128,14 @@ public class UserGroupInformation {
|
||||||
return getLoginUser().isKeytab;
|
return getLoginUser().isKeytab;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Did the login happen via ticket cache
|
||||||
|
* @return true or false
|
||||||
|
*/
|
||||||
|
public static boolean isLoginTicketBased() throws IOException {
|
||||||
|
return getLoginUser().isKrbTkt;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Create a user from a login name. It is intended to be used for remote
|
* Create a user from a login name. It is intended to be used for remote
|
||||||
* users in RPC, since it won't have any credentials.
|
* users in RPC, since it won't have any credentials.
|
||||||
|
|
|
@ -28,6 +28,7 @@ import org.apache.hadoop.util.Shell;
|
||||||
import org.junit.*;
|
import org.junit.*;
|
||||||
|
|
||||||
import javax.security.auth.Subject;
|
import javax.security.auth.Subject;
|
||||||
|
import javax.security.auth.kerberos.KerberosPrincipal;
|
||||||
import javax.security.auth.login.AppConfigurationEntry;
|
import javax.security.auth.login.AppConfigurationEntry;
|
||||||
import javax.security.auth.login.LoginContext;
|
import javax.security.auth.login.LoginContext;
|
||||||
import java.io.BufferedReader;
|
import java.io.BufferedReader;
|
||||||
|
@ -767,7 +768,17 @@ public class TestUserGroupInformation {
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test (timeout = 30000)
|
||||||
|
public void testGetUGIFromSubject() throws Exception {
|
||||||
|
KerberosPrincipal p = new KerberosPrincipal("guest");
|
||||||
|
Subject subject = new Subject();
|
||||||
|
subject.getPrincipals().add(p);
|
||||||
|
UserGroupInformation ugi = UserGroupInformation.getUGIFromSubject(subject);
|
||||||
|
assertNotNull(ugi);
|
||||||
|
assertEquals("guest@DEFAULT.REALM", ugi.getUserName());
|
||||||
|
}
|
||||||
|
|
||||||
@Test(timeout=1000)
|
@Test(timeout=1000)
|
||||||
public void testSetLoginUser() throws IOException {
|
public void testSetLoginUser() throws IOException {
|
||||||
UserGroupInformation ugi = UserGroupInformation.createRemoteUser("test-user");
|
UserGroupInformation ugi = UserGroupInformation.createRemoteUser("test-user");
|
||||||
|
|
Loading…
Reference in New Issue