HADOOP-12716. KerberosAuthenticator#doSpnegoSequence use incorrect class to determine isKeyTab in JDK8. Contributed by Xiaoyu Yao.

(cherry picked from commit d6b181c6fa)
(cherry picked from commit ef9131fbcddc01a9d8cb3dfd0a729ed9d17d788e)
This commit is contained in:
cnauroth 2016-02-24 13:55:39 -08:00
parent d5dfb278d6
commit d4bbdd9d28
4 changed files with 35 additions and 7 deletions

View File

@ -24,8 +24,6 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
import javax.security.auth.Subject; import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosKey;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.AppConfigurationEntry; import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration; import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext; import javax.security.auth.login.LoginContext;
@ -272,8 +270,8 @@ public class KerberosAuthenticator implements Authenticator {
AccessControlContext context = AccessController.getContext(); AccessControlContext context = AccessController.getContext();
Subject subject = Subject.getSubject(context); Subject subject = Subject.getSubject(context);
if (subject == null if (subject == null
|| (subject.getPrivateCredentials(KerberosKey.class).isEmpty() || (!KerberosUtil.hasKerberosKeyTab(subject)
&& subject.getPrivateCredentials(KerberosTicket.class).isEmpty())) { && !KerberosUtil.hasKerberosTicket(subject))) {
LOG.debug("No subject in context, logging in"); LOG.debug("No subject in context, logging in");
subject = new Subject(); subject = new Subject();
LoginContext login = new LoginContext("", subject, LoginContext login = new LoginContext("", subject,

View File

@ -38,6 +38,10 @@ import org.apache.directory.server.kerberos.shared.keytab.KeytabEntry;
import org.ietf.jgss.GSSException; import org.ietf.jgss.GSSException;
import org.ietf.jgss.Oid; import org.ietf.jgss.Oid;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.kerberos.KeyTab;
public class KerberosUtil { public class KerberosUtil {
/* Return the Kerberos login module name */ /* Return the Kerberos login module name */
@ -227,4 +231,28 @@ public class KerberosUtil {
} }
return principals; return principals;
} }
/**
* Check if the subject contains Kerberos keytab related objects.
* The Kerberos keytab object attached in subject has been changed
* from KerberosKey (JDK 7) to KeyTab (JDK 8)
*
*
* @param subject subject to be checked
* @return true if the subject contains Kerberos keytab
*/
public static boolean hasKerberosKeyTab(Subject subject) {
return !subject.getPrivateCredentials(KeyTab.class).isEmpty();
}
/**
* Check if the subject contains Kerberos ticket.
*
*
* @param subject subject to be checked
* @return true if the subject contains Kerberos ticket
*/
public static boolean hasKerberosTicket(Subject subject) {
return !subject.getPrivateCredentials(KerberosTicket.class).isEmpty();
}
} }

View File

@ -1032,6 +1032,9 @@ Release 2.8.0 - UNRELEASED
HADOOP-12878. KMS SPNEGO sequence does not work with WEBHDFS. (xyao) HADOOP-12878. KMS SPNEGO sequence does not work with WEBHDFS. (xyao)
HADOOP-12716. KerberosAuthenticator#doSpnegoSequence use incorrect class to
determine isKeyTab in JDK8. (Xiaoyu Yao via cnauroth)
Release 2.7.3 - UNRELEASED Release 2.7.3 - UNRELEASED
INCOMPATIBLE CHANGES INCOMPATIBLE CHANGES

View File

@ -45,7 +45,6 @@ import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler; import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosPrincipal; import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket; import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.kerberos.KeyTab;
import javax.security.auth.login.AppConfigurationEntry; import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag; import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
import javax.security.auth.login.LoginContext; import javax.security.auth.login.LoginContext;
@ -610,8 +609,8 @@ public class UserGroupInformation {
UserGroupInformation(Subject subject) { UserGroupInformation(Subject subject) {
this.subject = subject; this.subject = subject;
this.user = subject.getPrincipals(User.class).iterator().next(); this.user = subject.getPrincipals(User.class).iterator().next();
this.isKeytab = !subject.getPrivateCredentials(KeyTab.class).isEmpty(); this.isKeytab = KerberosUtil.hasKerberosKeyTab(subject);
this.isKrbTkt = !subject.getPrivateCredentials(KerberosTicket.class).isEmpty(); this.isKrbTkt = KerberosUtil.hasKerberosTicket(subject);
} }
/** /**