[jira] [Comment Edited] (SPARK-45482) Handle the usage of AccessControlContext and AccessController.

Tue, 10 Oct 2023 21:16:03 -0700 


    [ 
https://issues.apache.org/jira/browse/SPARK-45482?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17773892#comment-17773892
 ] 

Dongjoon Hyun edited comment on SPARK-45482 at 10/11/23 4:15 AM:
-----------------------------------------------------------------

Actually, I'm not sure about those three cases. Yes, let's keep them for now 
because Java 21 keeps them still, [~LuciferYang] .


was (Author: dongjoon):
Actually, I'm not sure about those three cases. Why don't we keep them for now 
because Java 21 keeps them still, [~LuciferYang] ?

> Handle the usage of AccessControlContext and AccessController.
> --------------------------------------------------------------
>
>                 Key: SPARK-45482
>                 URL: https://issues.apache.org/jira/browse/SPARK-45482
>             Project: Spark
>          Issue Type: Sub-task
>          Components: Spark Core, SQL
>    Affects Versions: 4.0.0
>            Reporter: Yang Jie
>            Priority: Minor
>
>  
>  
> {code:java}
>  * @deprecated This class is only useful in conjunction with
>  *       {@linkplain SecurityManager the Security Manager}, which is 
> deprecated
>  *       and subject to removal in a future release. Consequently, this class
>  *       is also deprecated and subject to removal. There is no replacement 
> for
>  *       the Security Manager or this class.
>  */
> @Deprecated(since="17", forRemoval=true)
> public final class AccessController {
> * @deprecated This class is only useful in conjunction with
>  *       {@linkplain SecurityManager the Security Manager}, which is 
> deprecated
>  *       and subject to removal in a future release. Consequently, this class
>  *       is also deprecated and subject to removal. There is no replacement 
> for
>  *       the Security Manager or this class.
>  */
> @Deprecated(since="17", forRemoval=true)
> public final class AccessControlContext { {code}
>  
>  
> `AccessControlContext` and `AccessController` are marked as deprecated in 
> Java 17, with `forRemoval` set to true. From the Javadoc, it can be seen that 
> they do not have corresponding replacements.
>  
> In Spark, there are three files that use AccessControlContext or 
> AccessController:
> 1.[https://github.com/apache/spark/blob/39cc4abaff73cb49f9d79d1d844fe5c9fa14c917/core/src/main/scala/org/apache/spark/serializer/SerializationDebugger.scala#L70-L73]
> {code:java}
> private[serializer] var enableDebugging: Boolean = {
>   !AccessController.doPrivileged(new sun.security.action.GetBooleanAction(
>     "sun.io.serialization.extendedDebugInfo")).booleanValue()
> } {code}
>  
> 2. 
> [https://github.com/apache/spark/blob/39cc4abaff73cb49f9d79d1d844fe5c9fa14c917/sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/TSubjectAssumingTransport.java#L42-L45]
>  
> {code:java}
> public void open() throws TTransportException {
>     try {
>       AccessControlContext context = AccessController.getContext();
>       Subject subject = Subject.getSubject(context);
>       Subject.doAs(subject, (PrivilegedExceptionAction<Void>) () -> {
>         try {
>           wrapped.open();
>         } catch (TTransportException tte) {
>           // Wrap the transport exception in an RTE, since Subject.doAs() 
> then goes
>           // and unwraps this for us out of the doAs block. We then unwrap one
>           // more time in our catch clause to get back the TTE. (ugh)
>           throw new RuntimeException(tte);
>         }
>         return null;
>       });
>     } catch (PrivilegedActionException ioe) {
>       throw new RuntimeException("Received an ioe we never threw!", ioe);
>     } catch (RuntimeException rte) {
>       if (rte.getCause() instanceof TTransportException) {
>         throw (TTransportException) rte.getCause();
>       } else {
>         throw rte;
>       }
>     }
>   } {code}
>  
> 3. 
> [https://github.com/apache/spark/blob/39cc4abaff73cb49f9d79d1d844fe5c9fa14c917/sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/HttpAuthUtils.java#L73]
>  
> {code:java}
>   public static String getKerberosServiceTicket(String principal, String host,
>       String serverHttpUrl, boolean assumeSubject) throws Exception {
>     String serverPrincipal =
>         ShimLoader.getHadoopThriftAuthBridge().getServerPrincipal(principal, 
> host);
>     if (assumeSubject) {
>       // With this option, we're assuming that the external application,
>       // using the JDBC driver has done a JAAS kerberos login already
>       AccessControlContext context = AccessController.getContext();
>       Subject subject = Subject.getSubject(context);
>       if (subject == null) {
>         throw new Exception("The Subject is not set");
>       }
>       return Subject.doAs(subject, new 
> HttpKerberosClientAction(serverPrincipal, serverHttpUrl));
>     } else {
>       // JAAS login from ticket cache to setup the client UserGroupInformation
>       UserGroupInformation clientUGI =
>           
> ShimLoader.getHadoopThriftAuthBridge().getCurrentUGIWithConf("kerberos");
>       return clientUGI.doAs(new HttpKerberosClientAction(serverPrincipal, 
> serverHttpUrl));
>     }
>   } {code}
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org

Reply via email to