Author: kihwal
Date: Mon May 12 19:14:18 2014
New Revision: 1594058
URL: http://svn.apache.org/r1594058
Log:
Fixing a prev merge/commit error
Modified:
hadoop/common/branches/branch-2.4/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
hadoop/common/branches/branch-2.4/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer.java
Modified:
hadoop/common/branches/branch-2.4/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
URL:
http://svn.apache.org/viewvc/hadoop/common/branches/branch-2.4/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java?rev=1594058&r1=1594057&r2=1594058&view=diff
==============================================================================
---
hadoop/common/branches/branch-2.4/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
(original)
+++
hadoop/common/branches/branch-2.4/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
Mon May 12 19:14:18 2014
@@ -26,6 +26,7 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import javax.security.auth.Subject;
+import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
@@ -35,9 +36,11 @@ import javax.servlet.http.HttpServletReq
import javax.servlet.http.HttpServletResponse;
import java.io.File;
import java.io.IOException;
+import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.HashMap;
+import java.util.HashSet;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
@@ -140,7 +143,7 @@ public class KerberosAuthenticationHandl
private String principal;
private String keytab;
private GSSManager gssManager;
- private Subject serverSubject = new Subject();
+ private LoginContext loginContext;
/**
* Initializes the authentication handler instance.
@@ -173,20 +176,17 @@ public class KerberosAuthenticationHandl
KerberosName.setRules(nameRules);
}
+ Set<Principal> principals = new HashSet<Principal>();
+ principals.add(new KerberosPrincipal(principal));
+ Subject subject = new Subject(false, principals, new HashSet<Object>(),
new HashSet<Object>());
+
+ KerberosConfiguration kerberosConfiguration = new
KerberosConfiguration(keytab, principal);
+
LOG.info("Login using keytab "+keytab+", for principal "+principal);
- for (String servicePrincipal : principal.split(",")) {
- final KerberosConfiguration kerberosConfiguration =
- new KerberosConfiguration(keytab, servicePrincipal);
- final LoginContext loginContext =
- new LoginContext("", serverSubject, null, kerberosConfiguration);
- try {
- loginContext.login();
- } catch (LoginException le) {
- LOG.warn("Failed to login as [{}]", servicePrincipal, le);
- throw new AuthenticationException(le);
- }
- serverSubject.getPrivateCredentials().add(loginContext);
- }
+ loginContext = new LoginContext("", subject, null,
kerberosConfiguration);
+ loginContext.login();
+
+ Subject serverSubject = loginContext.getSubject();
try {
gssManager = Subject.doAs(serverSubject, new
PrivilegedExceptionAction<GSSManager>() {
@@ -211,17 +211,13 @@ public class KerberosAuthenticationHandl
*/
@Override
public void destroy() {
- if (serverSubject != null) {
- final Set<LoginContext> logins =
- serverSubject.getPrivateCredentials(LoginContext.class);
- for (LoginContext login : logins) {
- try {
- login.logout();
- } catch (LoginException ex) {
- LOG.warn(ex.getMessage(), ex);
- }
+ try {
+ if (loginContext != null) {
+ loginContext.logout();
+ loginContext = null;
}
- serverSubject = null;
+ } catch (LoginException ex) {
+ LOG.warn(ex.getMessage(), ex);
}
}
@@ -308,7 +304,7 @@ public class KerberosAuthenticationHandl
authorization =
authorization.substring(KerberosAuthenticator.NEGOTIATE.length()).trim();
final Base64 base64 = new Base64(0);
final byte[] clientToken = base64.decode(authorization);
- final String serverName = request.getServerName();
+ Subject serverSubject = loginContext.getSubject();
try {
token = Subject.doAs(serverSubject, new
PrivilegedExceptionAction<AuthenticationToken>() {
@@ -318,15 +314,15 @@ public class KerberosAuthenticationHandl
GSSContext gssContext = null;
GSSCredential gssCreds = null;
try {
- gssCreds = gssManager.createCredential(
- gssManager.createName(
- KerberosUtil.getServicePrincipal("HTTP", serverName),
- KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL")),
- GSSCredential.INDEFINITE_LIFETIME,
- new Oid[]{
- KerberosUtil.getOidInstance("GSS_SPNEGO_MECH_OID"),
- KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID")},
- GSSCredential.ACCEPT_ONLY);
+ if (IBM_JAVA) {
+ // IBM JDK needs non-null credentials to be passed to
createContext here, with
+ // SPNEGO mechanism specified, otherwise JGSS will use its
default mechanism
+ // only, which is Kerberos V5.
+ gssCreds = gssManager.createCredential(null,
GSSCredential.INDEFINITE_LIFETIME,
+ new
Oid[]{KerberosUtil.getOidInstance("GSS_SPNEGO_MECH_OID"),
+ KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID")},
+ GSSCredential.ACCEPT_ONLY);
+ }
gssContext = gssManager.createContext(gssCreds);
byte[] serverToken = gssContext.acceptSecContext(clientToken, 0,
clientToken.length);
if (serverToken != null && serverToken.length > 0) {
Modified:
hadoop/common/branches/branch-2.4/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer.java
URL:
http://svn.apache.org/viewvc/hadoop/common/branches/branch-2.4/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer.java?rev=1594058&r1=1594057&r2=1594058&view=diff
==============================================================================
---
hadoop/common/branches/branch-2.4/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer.java
(original)
+++
hadoop/common/branches/branch-2.4/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer.java
Mon May 12 19:14:18 2014
@@ -62,7 +62,6 @@ import org.apache.hadoop.security.author
import org.apache.hadoop.security.ssl.SSLFactory;
import org.apache.hadoop.util.ReflectionUtils;
import org.apache.hadoop.util.Shell;
-import org.apache.hadoop.util.StringUtils;
import org.mortbay.io.Buffer;
import org.mortbay.jetty.Connector;
import org.mortbay.jetty.Handler;
@@ -671,16 +670,11 @@ public class HttpServer implements Filte
protected void initSpnego(Configuration conf,
String usernameConfKey, String keytabConfKey) throws IOException {
Map<String, String> params = new HashMap<String, String>();
- String[] principalsInConf = conf.getStrings(usernameConfKey);
- if (principalsInConf != null && principalsInConf.length != 0) {
- for (int i=0; i < principalsInConf.length; i++) {
- principalsInConf[i] =
- SecurityUtil.getServerPrincipal(principalsInConf[i],
listener.getHost());
- }
+ String principalInConf = conf.get(usernameConfKey);
+ if (principalInConf != null && !principalInConf.isEmpty()) {
params.put("kerberos.principal",
- StringUtils.join(",", principalsInConf));
+ SecurityUtil.getServerPrincipal(principalInConf,
listener.getHost()));
}
-
String httpKeytab = conf.get(keytabConfKey);
if (httpKeytab != null && !httpKeytab.isEmpty()) {
params.put("kerberos.keytab", httpKeytab);
