[jira] [Comment Edited] (CALCITE-6590) Run tests with java.security.manager=allow on JDK23+ in Avatica

Wed, 25 Sep 2024 06:27:08 -0700 


    [ 
https://issues.apache.org/jira/browse/CALCITE-6590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17884578#comment-17884578
 ] 

Istvan Toth edited comment on CALCITE-6590 at 9/25/24 1:26 PM:
---------------------------------------------------------------

bq. Looking at the code, getSubject() only seems to be called when Kerberos 
authentication is explicitly configured,
bq. which typically means Hadoop-related environments, where this option will 
be needed anyway by the other libraries.

This is not true. We call Subject.doAs every time we start the Avatica HTTP 
server.


was (Author: stoty):
bq. Looking at the code, getSubject() only seems to be called when Kerberos 
authentication is explicitly configured,
bq. which typically means Hadoop-related environments, where this option will 
be needed anyway by the other libraries.

This is not true. We call Subject.doAs every time we start the Avatica HTPP 
server.

> Run tests with java.security.manager=allow on JDK23+ in Avatica
> ---------------------------------------------------------------
>
>                 Key: CALCITE-6590
>                 URL: https://issues.apache.org/jira/browse/CALCITE-6590
>             Project: Calcite
>          Issue Type: Bug
>            Reporter: Julian Hyde
>            Assignee: Istvan Toth
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 1.26.0
>
>
> Remove use of Java SecurityManager in Avatica.
> Running Avatica on JDK 23 (or JRE 23) we get the following runtime errors:
> {noformat}
> Caused by: java.lang.UnsupportedOperationException: getSubject is supported 
> only if a security manager is allowed at 
> java.base/javax.security.auth.Subject.getSubject(Subject.java:347) at 
> org.apache.calcite.avatica.server.SubjectPreservingPrivilegedThreadFactory.newThread(SubjectPreservingPrivilegedThreadFactory.java:43)
>  {noformat}
> We were warned - the {{getSubject}} method has been deprecated since JDK 18. 
> The deprecation did not cause a build failure, due to CALCITE-5136.
> HADOOP-19212 is an issue with the same underlying cause.
> The message "getSubject is supported only if a security manager is allowed" 
> implies that another solution would be to enable a security manager 
> (including during tests, and when Avatica is used in Calcite's tests). Should 
> we consider that? If so, please change the case summary.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to