This is an automated email from the ASF dual-hosted git repository.
rzo1 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/storm.git
The following commit(s) were added to refs/heads/master by this push:
new eb982a16c [STORM-4023] Background periodic Kerberos re-login should
use same JAAS configuration as initial login
eb982a16c is described below
commit eb982a16c12ea8e80c2749728df5ff82663534ec
Author: Andrew Olson <aols...@cerner.com>
AuthorDate: Tue Jan 23 17:13:19 2024 -0600
[STORM-4023] Background periodic Kerberos re-login should use same JAAS
configuration as initial login
---
.../org/apache/storm/messaging/netty/Login.java | 36 +++++++++++++---------
1 file changed, 22 insertions(+), 14 deletions(-)
diff --git a/storm-client/src/jvm/org/apache/storm/messaging/netty/Login.java
b/storm-client/src/jvm/org/apache/storm/messaging/netty/Login.java
index 27b356a00..9b2feb571 100644
--- a/storm-client/src/jvm/org/apache/storm/messaging/netty/Login.java
+++ b/storm-client/src/jvm/org/apache/storm/messaging/netty/Login.java
@@ -64,12 +64,14 @@ public class Login {
private String loginContextName = null;
private String principal = null;
private long lastLogin = 0;
+ private String jaasConfFile = null;
+ private Configuration configuration = null;
/**
* Login constructor. The constructor starts the thread used
* to periodically re-login to the Kerberos Ticket Granting Server.
* @param loginContextName
- * name of section in JAAS file that will be use to login.
+ * name of section in JAAS file that will be used to login.
* Passed as first param to
javax.security.auth.login.LoginContext().
*
* @param callbackHandler
@@ -79,12 +81,16 @@ public class Login {
*/
public Login(final String loginContextName, CallbackHandler
callbackHandler, String jaasConfFile)
throws LoginException {
- this.callbackHandler = callbackHandler;
- login = login(loginContextName, jaasConfFile);
this.loginContextName = loginContextName;
- subject = login.getSubject();
- isKrbTicket =
!subject.getPrivateCredentials(KerberosTicket.class).isEmpty();
- AppConfigurationEntry[] entries =
this.getConfiguration(jaasConfFile).getAppConfigurationEntry(loginContextName);
+ this.callbackHandler = callbackHandler;
+ this.jaasConfFile = jaasConfFile;
+ this.configuration = getConfiguration(jaasConfFile);
+
+ this.login = login();
+ this.subject = login.getSubject();
+ this.isKrbTicket =
!subject.getPrivateCredentials(KerberosTicket.class).isEmpty();
+
+ AppConfigurationEntry[] entries =
configuration.getAppConfigurationEntry(loginContextName);
for (AppConfigurationEntry entry : entries) {
// there will only be a single entry, so this for() loop will only
be iterated through once.
if (entry.getOptions().get("useTicketCache") != null) {
@@ -108,7 +114,7 @@ public class Login {
// TGT's existing expiry date and the configured
MIN_TIME_BEFORE_RELOGIN. For testing and development,
// you can decrease the interval of expiration of tickets (for
example, to 3 minutes) by running :
// "modprinc -maxlife 3mins <principal>" in kadmin.
- thread = new Thread(new Runnable() {
+ this.thread = new Thread(new Runnable() {
@Override
public void run() {
LOG.info("TGT refresh thread started.");
@@ -247,7 +253,7 @@ public class Login {
thread.setDaemon(true);
}
- private Configuration getConfiguration(String jaasConfFile) {
+ private static Configuration getConfiguration(String jaasConfFile) {
File configFile = new File(jaasConfFile);
if (!configFile.canRead()) {
throw new RuntimeException("File " + jaasConfFile + " cannot be
read.");
@@ -286,7 +292,7 @@ public class Login {
return loginContextName;
}
- private synchronized LoginContext login(final String loginContextName,
String jaasConfFile) throws LoginException {
+ private synchronized LoginContext login() throws LoginException {
if (loginContextName == null) {
throw new LoginException("loginContext name (JAAS file section
header) was null. "
+ "Please check your java.security.login.auth.config (="
@@ -294,9 +300,9 @@ public class Login {
+ ") and your " +
ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY + "(="
+
System.getProperty(ZooKeeperSaslClient.LOGIN_CONTEXT_NAME_KEY, "Client") + ")");
}
- Configuration configuration = this.getConfiguration(jaasConfFile);
LoginContext loginContext;
try {
+ // The subject is null for our initial login attempt.
loginContext = new LoginContext(loginContextName, null,
callbackHandler, configuration);
loginContext.login();
} catch (LoginException e) {
@@ -384,7 +390,7 @@ public class Login {
}
/**
- * Re-login a principal. This method assumes that {@link #login(String)}
has happened already.
+ * Re-login a principal. This method assumes that {@link #login()} has
happened already.
* @throws javax.security.auth.login.LoginException on a failure
*/
// c.f. HADOOP-6559
@@ -404,11 +410,13 @@ public class Login {
//the Java kerberos login module code, only the kerberos
credentials
//are cleared
login.logout();
- //login and also update the subject field of this instance to
- //have the new credentials (pass it to the LoginContext
constructor)
- login = new LoginContext(loginContextName, getSubject());
+ //login with original callback handler and config, and also update
the
+ //subject field of this instance to have the new credentials (pass
it
+ //to the LoginContext constructor)
+ login = new LoginContext(loginContextName, getSubject(),
callbackHandler, configuration);
LOG.info("Initiating re-login for " + principal);
login.login();
+ LOG.info("Successfully re-logged in to context " +
loginContextName + " using " + jaasConfFile);
setLogin(login);
}
}
