[ https://issues.apache.org/jira/browse/SPARK-45482?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Yang Jie updated SPARK-45482: ----------------------------- Description: {code:java} * @deprecated This class is only useful in conjunction with * {@linkplain SecurityManager the Security Manager}, which is deprecated * and subject to removal in a future release. Consequently, this class * is also deprecated and subject to removal. There is no replacement for * the Security Manager or this class. */ @Deprecated(since="17", forRemoval=true) public final class AccessController { * @deprecated This class is only useful in conjunction with * {@linkplain SecurityManager the Security Manager}, which is deprecated * and subject to removal in a future release. Consequently, this class * is also deprecated and subject to removal. There is no replacement for * the Security Manager or this class. */ @Deprecated(since="17", forRemoval=true) public final class AccessControlContext { {code} `AccessControlContext` and `AccessController` are marked as deprecated in Java 17, with `forRemoval` set to true. From the Javadoc, it can be seen that they do not have corresponding replacements. In Spark, there are three files that use AccessControlContext or AccessController: 1.[https://github.com/apache/spark/blob/39cc4abaff73cb49f9d79d1d844fe5c9fa14c917/core/src/main/scala/org/apache/spark/serializer/SerializationDebugger.scala#L70-L73] {code:java} private[serializer] var enableDebugging: Boolean = { !AccessController.doPrivileged(new sun.security.action.GetBooleanAction( "sun.io.serialization.extendedDebugInfo")).booleanValue() } {code} 2. [https://github.com/apache/spark/blob/39cc4abaff73cb49f9d79d1d844fe5c9fa14c917/sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/TSubjectAssumingTransport.java#L42-L45] {code:java} public void open() throws TTransportException { try { AccessControlContext context = AccessController.getContext(); Subject subject = Subject.getSubject(context); Subject.doAs(subject, (PrivilegedExceptionAction<Void>) () -> { try { wrapped.open(); } catch (TTransportException tte) { // Wrap the transport exception in an RTE, since Subject.doAs() then goes // and unwraps this for us out of the doAs block. We then unwrap one // more time in our catch clause to get back the TTE. (ugh) throw new RuntimeException(tte); } return null; }); } catch (PrivilegedActionException ioe) { throw new RuntimeException("Received an ioe we never threw!", ioe); } catch (RuntimeException rte) { if (rte.getCause() instanceof TTransportException) { throw (TTransportException) rte.getCause(); } else { throw rte; } } } {code} 3. [https://github.com/apache/spark/blob/39cc4abaff73cb49f9d79d1d844fe5c9fa14c917/sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/HttpAuthUtils.java#L73] {code:java} public static String getKerberosServiceTicket(String principal, String host, String serverHttpUrl, boolean assumeSubject) throws Exception { String serverPrincipal = ShimLoader.getHadoopThriftAuthBridge().getServerPrincipal(principal, host); if (assumeSubject) { // With this option, we're assuming that the external application, // using the JDBC driver has done a JAAS kerberos login already AccessControlContext context = AccessController.getContext(); Subject subject = Subject.getSubject(context); if (subject == null) { throw new Exception("The Subject is not set"); } return Subject.doAs(subject, new HttpKerberosClientAction(serverPrincipal, serverHttpUrl)); } else { // JAAS login from ticket cache to setup the client UserGroupInformation UserGroupInformation clientUGI = ShimLoader.getHadoopThriftAuthBridge().getCurrentUGIWithConf("kerberos"); return clientUGI.doAs(new HttpKerberosClientAction(serverPrincipal, serverHttpUrl)); } } {code} was: {code:java} * @deprecated This class is only useful in conjunction with * {@linkplain SecurityManager the Security Manager}, which is deprecated * and subject to removal in a future release. Consequently, this class * is also deprecated and subject to removal. There is no replacement for * the Security Manager or this class. */ @Deprecated(since="17", forRemoval=true) public final class AccessController { * @deprecated This class is only useful in conjunction with * {@linkplain SecurityManager the Security Manager}, which is deprecated * and subject to removal in a future release. Consequently, this class * is also deprecated and subject to removal. There is no replacement for * the Security Manager or this class. */ @Deprecated(since="17", forRemoval=true) public final class AccessControlContext { {code} `AccessControlContext` and `AccessController` are marked as deprecated in Java 17, with `forRemoval` set to true. From the Javadoc, it can be seen that they do not have corresponding replacements. In Spark, there are three files that use AccessControlContext or AccessController: # [https://github.com/apache/spark/blob/39cc4abaff73cb49f9d79d1d844fe5c9fa14c917/core/src/main/scala/org/apache/spark/serializer/SerializationDebugger.scala#L70-L73] {code:java} private[serializer] var enableDebugging: Boolean = { !AccessController.doPrivileged(new sun.security.action.GetBooleanAction( "sun.io.serialization.extendedDebugInfo")).booleanValue() } {code} # [https://github.com/apache/spark/blob/39cc4abaff73cb49f9d79d1d844fe5c9fa14c917/sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/TSubjectAssumingTransport.java#L42-L45] {code:java} public void open() throws TTransportException { try { AccessControlContext context = AccessController.getContext(); Subject subject = Subject.getSubject(context); Subject.doAs(subject, (PrivilegedExceptionAction<Void>) () -> { try { wrapped.open(); } catch (TTransportException tte) { // Wrap the transport exception in an RTE, since Subject.doAs() then goes // and unwraps this for us out of the doAs block. We then unwrap one // more time in our catch clause to get back the TTE. (ugh) throw new RuntimeException(tte); } return null; }); } catch (PrivilegedActionException ioe) { throw new RuntimeException("Received an ioe we never threw!", ioe); } catch (RuntimeException rte) { if (rte.getCause() instanceof TTransportException) { throw (TTransportException) rte.getCause(); } else { throw rte; } } } {code} # [https://github.com/apache/spark/blob/39cc4abaff73cb49f9d79d1d844fe5c9fa14c917/sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/HttpAuthUtils.java#L73] {code:java} public static String getKerberosServiceTicket(String principal, String host, String serverHttpUrl, boolean assumeSubject) throws Exception { String serverPrincipal = ShimLoader.getHadoopThriftAuthBridge().getServerPrincipal(principal, host); if (assumeSubject) { // With this option, we're assuming that the external application, // using the JDBC driver has done a JAAS kerberos login already AccessControlContext context = AccessController.getContext(); Subject subject = Subject.getSubject(context); if (subject == null) { throw new Exception("The Subject is not set"); } return Subject.doAs(subject, new HttpKerberosClientAction(serverPrincipal, serverHttpUrl)); } else { // JAAS login from ticket cache to setup the client UserGroupInformation UserGroupInformation clientUGI = ShimLoader.getHadoopThriftAuthBridge().getCurrentUGIWithConf("kerberos"); return clientUGI.doAs(new HttpKerberosClientAction(serverPrincipal, serverHttpUrl)); } } {code} > Clean up the usage of `AccessControlContext` and `AccessController` > ------------------------------------------------------------------- > > Key: SPARK-45482 > URL: https://issues.apache.org/jira/browse/SPARK-45482 > Project: Spark > Issue Type: Sub-task > Components: Spark Core, SQL > Affects Versions: 4.0.0 > Reporter: Yang Jie > Priority: Minor > > > > {code:java} > * @deprecated This class is only useful in conjunction with > * {@linkplain SecurityManager the Security Manager}, which is > deprecated > * and subject to removal in a future release. Consequently, this class > * is also deprecated and subject to removal. There is no replacement > for > * the Security Manager or this class. > */ > @Deprecated(since="17", forRemoval=true) > public final class AccessController { > * @deprecated This class is only useful in conjunction with > * {@linkplain SecurityManager the Security Manager}, which is > deprecated > * and subject to removal in a future release. Consequently, this class > * is also deprecated and subject to removal. There is no replacement > for > * the Security Manager or this class. > */ > @Deprecated(since="17", forRemoval=true) > public final class AccessControlContext { {code} > > > `AccessControlContext` and `AccessController` are marked as deprecated in > Java 17, with `forRemoval` set to true. From the Javadoc, it can be seen that > they do not have corresponding replacements. > > In Spark, there are three files that use AccessControlContext or > AccessController: > 1.[https://github.com/apache/spark/blob/39cc4abaff73cb49f9d79d1d844fe5c9fa14c917/core/src/main/scala/org/apache/spark/serializer/SerializationDebugger.scala#L70-L73] > {code:java} > private[serializer] var enableDebugging: Boolean = { > !AccessController.doPrivileged(new sun.security.action.GetBooleanAction( > "sun.io.serialization.extendedDebugInfo")).booleanValue() > } {code} > > 2. > [https://github.com/apache/spark/blob/39cc4abaff73cb49f9d79d1d844fe5c9fa14c917/sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/TSubjectAssumingTransport.java#L42-L45] > > {code:java} > public void open() throws TTransportException { > try { > AccessControlContext context = AccessController.getContext(); > Subject subject = Subject.getSubject(context); > Subject.doAs(subject, (PrivilegedExceptionAction<Void>) () -> { > try { > wrapped.open(); > } catch (TTransportException tte) { > // Wrap the transport exception in an RTE, since Subject.doAs() > then goes > // and unwraps this for us out of the doAs block. We then unwrap one > // more time in our catch clause to get back the TTE. (ugh) > throw new RuntimeException(tte); > } > return null; > }); > } catch (PrivilegedActionException ioe) { > throw new RuntimeException("Received an ioe we never threw!", ioe); > } catch (RuntimeException rte) { > if (rte.getCause() instanceof TTransportException) { > throw (TTransportException) rte.getCause(); > } else { > throw rte; > } > } > } {code} > > 3. > [https://github.com/apache/spark/blob/39cc4abaff73cb49f9d79d1d844fe5c9fa14c917/sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/HttpAuthUtils.java#L73] > > {code:java} > public static String getKerberosServiceTicket(String principal, String host, > String serverHttpUrl, boolean assumeSubject) throws Exception { > String serverPrincipal = > ShimLoader.getHadoopThriftAuthBridge().getServerPrincipal(principal, > host); > if (assumeSubject) { > // With this option, we're assuming that the external application, > // using the JDBC driver has done a JAAS kerberos login already > AccessControlContext context = AccessController.getContext(); > Subject subject = Subject.getSubject(context); > if (subject == null) { > throw new Exception("The Subject is not set"); > } > return Subject.doAs(subject, new > HttpKerberosClientAction(serverPrincipal, serverHttpUrl)); > } else { > // JAAS login from ticket cache to setup the client UserGroupInformation > UserGroupInformation clientUGI = > > ShimLoader.getHadoopThriftAuthBridge().getCurrentUGIWithConf("kerberos"); > return clientUGI.doAs(new HttpKerberosClientAction(serverPrincipal, > serverHttpUrl)); > } > } {code} > > -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org