From d6b181c6faa56e43c9f05d2cc860a0aeb940fd90 Mon Sep 17 00:00:00 2001 From: cnauroth Date: Wed, 24 Feb 2016 13:55:39 -0800 Subject: [PATCH] HADOOP-12716. KerberosAuthenticator#doSpnegoSequence use incorrect class to determine isKeyTab in JDK8. Contributed by Xiaoyu Yao. --- .../client/KerberosAuthenticator.java | 6 ++-- .../authentication/util/KerberosUtil.java | 28 +++++++++++++++++++ .../hadoop-common/CHANGES.txt | 3 ++ .../hadoop/security/UserGroupInformation.java | 5 ++-- 4 files changed, 35 insertions(+), 7 deletions(-) diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java index e107810790e..0f046ae9f3e 100644 --- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java +++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java @@ -24,8 +24,6 @@ import org.slf4j.LoggerFactory; import javax.security.auth.Subject; -import javax.security.auth.kerberos.KerberosKey; -import javax.security.auth.kerberos.KerberosTicket; import javax.security.auth.login.AppConfigurationEntry; import javax.security.auth.login.Configuration; import javax.security.auth.login.LoginContext; @@ -272,8 +270,8 @@ private void doSpnegoSequence(AuthenticatedURL.Token token) throws IOException, AccessControlContext context = AccessController.getContext(); Subject subject = Subject.getSubject(context); if (subject == null - || (subject.getPrivateCredentials(KerberosKey.class).isEmpty() - && subject.getPrivateCredentials(KerberosTicket.class).isEmpty())) { + || (!KerberosUtil.hasKerberosKeyTab(subject) + && !KerberosUtil.hasKerberosTicket(subject))) { LOG.debug("No subject in context, logging in"); subject = new Subject(); LoginContext login = new LoginContext("", subject, diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosUtil.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosUtil.java index 3d7b00d4f62..fd257fccd96 100644 --- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosUtil.java +++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosUtil.java @@ -38,6 +38,10 @@ import org.ietf.jgss.GSSException; import org.ietf.jgss.Oid; +import javax.security.auth.Subject; +import javax.security.auth.kerberos.KerberosTicket; +import javax.security.auth.kerberos.KeyTab; + public class KerberosUtil { /* Return the Kerberos login module name */ @@ -227,4 +231,28 @@ public static final String[] getPrincipalNames(String keytab, } return principals; } + + /** + * Check if the subject contains Kerberos keytab related objects. + * The Kerberos keytab object attached in subject has been changed + * from KerberosKey (JDK 7) to KeyTab (JDK 8) + * + * + * @param subject subject to be checked + * @return true if the subject contains Kerberos keytab + */ + public static boolean hasKerberosKeyTab(Subject subject) { + return !subject.getPrivateCredentials(KeyTab.class).isEmpty(); + } + + /** + * Check if the subject contains Kerberos ticket. + * + * + * @param subject subject to be checked + * @return true if the subject contains Kerberos ticket + */ + public static boolean hasKerberosTicket(Subject subject) { + return !subject.getPrivateCredentials(KerberosTicket.class).isEmpty(); + } } diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index a1aa142a85a..8fd61f0004a 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -1744,6 +1744,9 @@ Release 2.8.0 - UNRELEASED HADOOP-12878. KMS SPNEGO sequence does not work with WEBHDFS. (xyao) + HADOOP-12716. KerberosAuthenticator#doSpnegoSequence use incorrect class to + determine isKeyTab in JDK8. (Xiaoyu Yao via cnauroth) + Release 2.7.3 - UNRELEASED INCOMPATIBLE CHANGES diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java index 047e645737a..a0f0c69162b 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java @@ -48,7 +48,6 @@ import javax.security.auth.callback.CallbackHandler; import javax.security.auth.kerberos.KerberosPrincipal; import javax.security.auth.kerberos.KerberosTicket; -import javax.security.auth.kerberos.KeyTab; import javax.security.auth.login.AppConfigurationEntry; import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag; import javax.security.auth.login.LoginContext; @@ -624,8 +623,8 @@ private void setLogin(LoginContext login) { UserGroupInformation(Subject subject) { this.subject = subject; this.user = subject.getPrincipals(User.class).iterator().next(); - this.isKeytab = !subject.getPrivateCredentials(KeyTab.class).isEmpty(); - this.isKrbTkt = !subject.getPrivateCredentials(KerberosTicket.class).isEmpty(); + this.isKeytab = KerberosUtil.hasKerberosKeyTab(subject); + this.isKrbTkt = KerberosUtil.hasKerberosTicket(subject); } /**