Repository: hadoop Updated Branches: refs/heads/HADOOP-12756 e671a0f52 -> 60f66a930
HADOOP-13558. UserGroupInformation created from a Subject incorrectly tries to renew the Kerberos ticket. Contributed by Xiao Chen. Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/680be58a Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/680be58a Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/680be58a Branch: refs/heads/HADOOP-12756 Commit: 680be58aac03a9ffab6b07c8fde9602ddb9dc858 Parents: 5f23abf Author: Xiao Chen <x...@apache.org> Authored: Tue Sep 6 20:25:26 2016 -0700 Committer: Xiao Chen <x...@apache.org> Committed: Tue Sep 6 20:54:17 2016 -0700 ---------------------------------------------------------------------- .../hadoop/security/UserGroupInformation.java | 22 +++++++++++++++--- .../security/TestUserGroupInformation.java | 24 ++++++++++++++++++++ 2 files changed, 43 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/680be58a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java index fe6fbe4..ed3a9d0 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java @@ -632,9 +632,24 @@ public class UserGroupInformation { * @param subject the user's subject */ UserGroupInformation(Subject subject) { + this(subject, false); + } + + /** + * Create a UGI from the given subject. + * @param subject the subject + * @param externalKeyTab if the subject's keytab is managed by the user. + * Setting this to true will prevent UGI from attempting + * to login the keytab, or to renew it. + */ + private UserGroupInformation(Subject subject, final boolean externalKeyTab) { this.subject = subject; this.user = subject.getPrincipals(User.class).iterator().next(); - this.isKeytab = KerberosUtil.hasKerberosKeyTab(subject); + if (externalKeyTab) { + this.isKeytab = false; + } else { + this.isKeytab = KerberosUtil.hasKerberosKeyTab(subject); + } this.isKrbTkt = KerberosUtil.hasKerberosTicket(subject); } @@ -850,10 +865,11 @@ public class UserGroupInformation { newLoginContext(authenticationMethod.getLoginAppName(), subject, new HadoopConfiguration()); login.login(); - UserGroupInformation realUser = new UserGroupInformation(subject); + LOG.debug("Assuming keytab is managed externally since logged in from" + + " subject."); + UserGroupInformation realUser = new UserGroupInformation(subject, true); realUser.setLogin(login); realUser.setAuthenticationMethod(authenticationMethod); - realUser = new UserGroupInformation(login.getSubject()); // If the HADOOP_PROXY_USER environment variable or property // is specified, create a proxy user as the logged in user. String proxyUser = System.getenv(HADOOP_PROXY_USER); http://git-wip-us.apache.org/repos/asf/hadoop/blob/680be58a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java index a306d35..e45d70d 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java @@ -37,6 +37,7 @@ import org.junit.Test; import javax.security.auth.Subject; import javax.security.auth.kerberos.KerberosPrincipal; +import javax.security.auth.kerberos.KeyTab; import javax.security.auth.login.AppConfigurationEntry; import javax.security.auth.login.LoginContext; @@ -1030,4 +1031,27 @@ public class TestUserGroupInformation { assertTrue(credsugiTokens.contains(token1)); assertTrue(credsugiTokens.contains(token2)); } + + @Test + public void testCheckTGTAfterLoginFromSubject() throws Exception { + // security on, default is remove default realm + SecurityUtil.setAuthenticationMethod(AuthenticationMethod.KERBEROS, conf); + UserGroupInformation.setConfiguration(conf); + + // Login from a pre-set subject with a keytab + final Subject subject = new Subject(); + KeyTab keytab = KeyTab.getInstance(); + subject.getPrivateCredentials().add(keytab); + UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); + ugi.doAs(new PrivilegedExceptionAction<Void>() { + @Override + public Void run() throws IOException { + UserGroupInformation.loginUserFromSubject(subject); + // this should not throw. + UserGroupInformation.getLoginUser().checkTGTAndReloginFromKeytab(); + return null; + } + }); + + } } --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-commits-h...@hadoop.apache.org