HADOOP-12716. KerberosAuthenticator#doSpnegoSequence use incorrect class to determine isKeyTab in JDK8. Contributed by Xiaoyu Yao.
(cherry picked from commit d6b181c6fa
)
(cherry picked from commit ef9131fbcddc01a9d8cb3dfd0a729ed9d17d788e)
This commit is contained in:
parent
d5dfb278d6
commit
d4bbdd9d28
|
@ -24,8 +24,6 @@ import org.slf4j.Logger;
|
||||||
import org.slf4j.LoggerFactory;
|
import org.slf4j.LoggerFactory;
|
||||||
|
|
||||||
import javax.security.auth.Subject;
|
import javax.security.auth.Subject;
|
||||||
import javax.security.auth.kerberos.KerberosKey;
|
|
||||||
import javax.security.auth.kerberos.KerberosTicket;
|
|
||||||
import javax.security.auth.login.AppConfigurationEntry;
|
import javax.security.auth.login.AppConfigurationEntry;
|
||||||
import javax.security.auth.login.Configuration;
|
import javax.security.auth.login.Configuration;
|
||||||
import javax.security.auth.login.LoginContext;
|
import javax.security.auth.login.LoginContext;
|
||||||
|
@ -272,8 +270,8 @@ public class KerberosAuthenticator implements Authenticator {
|
||||||
AccessControlContext context = AccessController.getContext();
|
AccessControlContext context = AccessController.getContext();
|
||||||
Subject subject = Subject.getSubject(context);
|
Subject subject = Subject.getSubject(context);
|
||||||
if (subject == null
|
if (subject == null
|
||||||
|| (subject.getPrivateCredentials(KerberosKey.class).isEmpty()
|
|| (!KerberosUtil.hasKerberosKeyTab(subject)
|
||||||
&& subject.getPrivateCredentials(KerberosTicket.class).isEmpty())) {
|
&& !KerberosUtil.hasKerberosTicket(subject))) {
|
||||||
LOG.debug("No subject in context, logging in");
|
LOG.debug("No subject in context, logging in");
|
||||||
subject = new Subject();
|
subject = new Subject();
|
||||||
LoginContext login = new LoginContext("", subject,
|
LoginContext login = new LoginContext("", subject,
|
||||||
|
|
|
@ -38,6 +38,10 @@ import org.apache.directory.server.kerberos.shared.keytab.KeytabEntry;
|
||||||
import org.ietf.jgss.GSSException;
|
import org.ietf.jgss.GSSException;
|
||||||
import org.ietf.jgss.Oid;
|
import org.ietf.jgss.Oid;
|
||||||
|
|
||||||
|
import javax.security.auth.Subject;
|
||||||
|
import javax.security.auth.kerberos.KerberosTicket;
|
||||||
|
import javax.security.auth.kerberos.KeyTab;
|
||||||
|
|
||||||
public class KerberosUtil {
|
public class KerberosUtil {
|
||||||
|
|
||||||
/* Return the Kerberos login module name */
|
/* Return the Kerberos login module name */
|
||||||
|
@ -227,4 +231,28 @@ public class KerberosUtil {
|
||||||
}
|
}
|
||||||
return principals;
|
return principals;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Check if the subject contains Kerberos keytab related objects.
|
||||||
|
* The Kerberos keytab object attached in subject has been changed
|
||||||
|
* from KerberosKey (JDK 7) to KeyTab (JDK 8)
|
||||||
|
*
|
||||||
|
*
|
||||||
|
* @param subject subject to be checked
|
||||||
|
* @return true if the subject contains Kerberos keytab
|
||||||
|
*/
|
||||||
|
public static boolean hasKerberosKeyTab(Subject subject) {
|
||||||
|
return !subject.getPrivateCredentials(KeyTab.class).isEmpty();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Check if the subject contains Kerberos ticket.
|
||||||
|
*
|
||||||
|
*
|
||||||
|
* @param subject subject to be checked
|
||||||
|
* @return true if the subject contains Kerberos ticket
|
||||||
|
*/
|
||||||
|
public static boolean hasKerberosTicket(Subject subject) {
|
||||||
|
return !subject.getPrivateCredentials(KerberosTicket.class).isEmpty();
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1032,6 +1032,9 @@ Release 2.8.0 - UNRELEASED
|
||||||
|
|
||||||
HADOOP-12878. KMS SPNEGO sequence does not work with WEBHDFS. (xyao)
|
HADOOP-12878. KMS SPNEGO sequence does not work with WEBHDFS. (xyao)
|
||||||
|
|
||||||
|
HADOOP-12716. KerberosAuthenticator#doSpnegoSequence use incorrect class to
|
||||||
|
determine isKeyTab in JDK8. (Xiaoyu Yao via cnauroth)
|
||||||
|
|
||||||
Release 2.7.3 - UNRELEASED
|
Release 2.7.3 - UNRELEASED
|
||||||
|
|
||||||
INCOMPATIBLE CHANGES
|
INCOMPATIBLE CHANGES
|
||||||
|
|
|
@ -45,7 +45,6 @@ import javax.security.auth.Subject;
|
||||||
import javax.security.auth.callback.CallbackHandler;
|
import javax.security.auth.callback.CallbackHandler;
|
||||||
import javax.security.auth.kerberos.KerberosPrincipal;
|
import javax.security.auth.kerberos.KerberosPrincipal;
|
||||||
import javax.security.auth.kerberos.KerberosTicket;
|
import javax.security.auth.kerberos.KerberosTicket;
|
||||||
import javax.security.auth.kerberos.KeyTab;
|
|
||||||
import javax.security.auth.login.AppConfigurationEntry;
|
import javax.security.auth.login.AppConfigurationEntry;
|
||||||
import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
|
import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
|
||||||
import javax.security.auth.login.LoginContext;
|
import javax.security.auth.login.LoginContext;
|
||||||
|
@ -610,8 +609,8 @@ public class UserGroupInformation {
|
||||||
UserGroupInformation(Subject subject) {
|
UserGroupInformation(Subject subject) {
|
||||||
this.subject = subject;
|
this.subject = subject;
|
||||||
this.user = subject.getPrincipals(User.class).iterator().next();
|
this.user = subject.getPrincipals(User.class).iterator().next();
|
||||||
this.isKeytab = !subject.getPrivateCredentials(KeyTab.class).isEmpty();
|
this.isKeytab = KerberosUtil.hasKerberosKeyTab(subject);
|
||||||
this.isKrbTkt = !subject.getPrivateCredentials(KerberosTicket.class).isEmpty();
|
this.isKrbTkt = KerberosUtil.hasKerberosTicket(subject);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
Loading…
Reference in New Issue