HADOOP-13081. add the ability to create multiple UGIs/subjects from one kerberos login. Contributed by Sergey Shelukhin.
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/0458a2af Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/0458a2af Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/0458a2af Branch: refs/heads/YARN-2915 Commit: 0458a2af6e925d023882714e8b7b0568eca7a775 Parents: 3818393 Author: Chris Nauroth <cnaur...@apache.org> Authored: Tue Aug 2 12:43:30 2016 -0700 Committer: Chris Nauroth <cnaur...@apache.org> Committed: Tue Aug 2 12:43:30 2016 -0700 ---------------------------------------------------------------------- .../hadoop/security/UserGroupInformation.java | 29 +++++++++++++++++++- .../security/TestUserGroupInformation.java | 27 ++++++++++++++++++ 2 files changed, 55 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/0458a2af/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java index 7dee14b..1e5ad36 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java @@ -38,6 +38,7 @@ import java.util.Arrays; import java.util.Collection; import java.util.Collections; import java.util.HashMap; +import java.util.HashSet; import java.util.Iterator; import java.util.LinkedHashSet; import java.util.List; @@ -637,7 +638,33 @@ public class UserGroupInformation { this.isKeytab = KerberosUtil.hasKerberosKeyTab(subject); this.isKrbTkt = KerberosUtil.hasKerberosTicket(subject); } - + + /** + * Copies the Subject of this UGI and creates a new UGI with the new subject. + * This can be used to add credentials (e.g. tokens) to different copies of + * the same UGI, allowing multiple users with different tokens to reuse the + * UGI without re-authenticating with Kerberos. + * @return clone of the UGI with a new subject. + */ + @InterfaceAudience.Public + @InterfaceStability.Evolving + public UserGroupInformation copySubjectAndUgi() { + Subject subj = getSubject(); + // The ctor will set other fields automatically from the principals. + return new UserGroupInformation(new Subject(false, subj.getPrincipals(), + cloneCredentials(subj.getPublicCredentials()), + cloneCredentials(subj.getPrivateCredentials()))); + } + + private static Set<Object> cloneCredentials(Set<Object> old) { + Set<Object> set = new HashSet<>(); + // Make sure Hadoop credentials objects do not reuse the maps. + for (Object o : old) { + set.add(o instanceof Credentials ? new Credentials((Credentials)o) : o); + } + return set; + } + /** * checks if logged in using kerberos * @return true if the subject logged via keytab or has a Kerberos TGT http://git-wip-us.apache.org/repos/asf/hadoop/blob/0458a2af/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java index 91f36e5..8c41180 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java @@ -44,6 +44,7 @@ import java.security.PrivilegedExceptionAction; import java.util.Collection; import java.util.ConcurrentModificationException; import java.util.LinkedHashSet; +import java.util.List; import java.util.Set; import static org.apache.hadoop.fs.CommonConfigurationKeys.HADOOP_USER_GROUP_METRICS_PERCENTILES_INTERVALS; @@ -877,6 +878,32 @@ public class TestUserGroupInformation { assertEquals(1, tokens.size()); } + @Test(timeout = 30000) + public void testCopySubjectAndUgi() throws IOException { + SecurityUtil.setAuthenticationMethod(AuthenticationMethod.SIMPLE, conf); + UserGroupInformation.setConfiguration(conf); + UserGroupInformation u1 = UserGroupInformation.getLoginUser(); + assertNotNull(u1); + @SuppressWarnings("unchecked") + Token<? extends TokenIdentifier> tmpToken = mock(Token.class); + u1.addToken(tmpToken); + + UserGroupInformation u2 = u1.copySubjectAndUgi(); + assertEquals(u1.getAuthenticationMethod(), u2.getAuthenticationMethod()); + assertNotSame(u1.getSubject(), u2.getSubject()); + Credentials c1 = u1.getCredentials(), c2 = u2.getCredentials(); + List<Text> sc1 = c1.getAllSecretKeys(), sc2 = c2.getAllSecretKeys(); + assertArrayEquals(sc1.toArray(new Text[0]), sc2.toArray(new Text[0])); + Collection<Token<? extends TokenIdentifier>> ts1 = c1.getAllTokens(), + ts2 = c2.getAllTokens(); + assertArrayEquals(ts1.toArray(new Token[0]), ts2.toArray(new Token[0])); + @SuppressWarnings("unchecked") + Token<? extends TokenIdentifier> token = mock(Token.class); + u2.addToken(token); + assertTrue(u2.getCredentials().getAllTokens().contains(token)); + assertFalse(u1.getCredentials().getAllTokens().contains(token)); + } + /** * This test checks a race condition between getting and adding tokens for * the current user. Calling UserGroupInformation.getCurrentUser() returns --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-commits-h...@hadoop.apache.org
