Author: ddas Date: Tue Mar 20 17:19:45 2012 New Revision: 1303018 URL: http://svn.apache.org/viewvc?rev=1303018&view=rev Log: merge -r1303016:1303017 from branch-1 onto branch-1.0. Fixes HADOOP-6941.
Added: hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/authentication/util/KerberosUtil.java - copied unchanged from r1303017, hadoop/common/branches/branch-1/src/core/org/apache/hadoop/security/authentication/util/KerberosUtil.java Modified: hadoop/common/branches/branch-1.0/ (props changed) hadoop/common/branches/branch-1.0/CHANGES.txt (contents, props changed) hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/KerberosName.java hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/SecurityUtil.java hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/UserGroupInformation.java hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java hadoop/common/branches/branch-1.0/src/mapred/ (props changed) hadoop/common/branches/branch-1.0/src/test/org/apache/hadoop/security/authentication/KerberosTestUtils.java hadoop/common/branches/branch-1.0/src/test/org/apache/hadoop/security/authentication/server/TestKerberosAuthenticationHandler.java Propchange: hadoop/common/branches/branch-1.0/ ------------------------------------------------------------------------------ Merged /hadoop/common/branches/branch-1:r1303017 Modified: hadoop/common/branches/branch-1.0/CHANGES.txt URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-1.0/CHANGES.txt?rev=1303018&r1=1303017&r2=1303018&view=diff ============================================================================== --- hadoop/common/branches/branch-1.0/CHANGES.txt (original) +++ hadoop/common/branches/branch-1.0/CHANGES.txt Tue Mar 20 17:19:45 2012 @@ -5,6 +5,9 @@ Hadoop Change Log This was done to handle the build of Hadoop with IBM's JDK. (Stephen Watt, Guillermo Cabrera and ddas) + HADOOP-6941. Adds support for building Hadoop with IBM's JDK + (Stephen Watt, Eli and ddas) + Release 1.0.2 - 2012.03.18 NEW FEATURES Propchange: hadoop/common/branches/branch-1.0/CHANGES.txt ------------------------------------------------------------------------------ Merged /hadoop/common/branches/branch-1/CHANGES.txt:r1303017 Modified: hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/KerberosName.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/KerberosName.java?rev=1303018&r1=1303017&r2=1303018&view=diff ============================================================================== --- hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/KerberosName.java (original) +++ hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/KerberosName.java Tue Mar 20 17:19:45 2012 @@ -25,9 +25,7 @@ import java.util.regex.Matcher; import java.util.regex.Pattern; import org.apache.hadoop.conf.Configuration; - -import sun.security.krb5.Config; -import sun.security.krb5.KrbException; +import org.apache.hadoop.security.authentication.util.KerberosUtil; /** * This class implements parsing and handling of Kerberos principal names. In @@ -73,13 +71,11 @@ public class KerberosName { private static List<Rule> rules; private static String defaultRealm; - private static Config kerbConf; static { try { - kerbConf = Config.getInstance(); - defaultRealm = kerbConf.getDefaultRealm(); - } catch (KrbException ke) { + defaultRealm = KerberosUtil.getDefaultRealm(); + } catch (Exception ke) { if(UserGroupInformation.isSecurityEnabled()) throw new IllegalArgumentException("Can't get Kerberos configuration",ke); else Modified: hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/SecurityUtil.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/SecurityUtil.java?rev=1303018&r1=1303017&r2=1303018&view=diff ============================================================================== --- hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/SecurityUtil.java (original) +++ hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/SecurityUtil.java Tue Mar 20 17:19:45 2012 @@ -17,6 +17,10 @@ package org.apache.hadoop.security; import java.io.IOException; +import java.lang.reflect.Constructor; +import java.lang.reflect.Field; +import java.lang.reflect.InvocationTargetException; +import java.lang.reflect.Method; import java.net.InetAddress; import java.net.InetSocketAddress; import java.net.URI; @@ -42,9 +46,6 @@ import org.apache.hadoop.security.token. //this will need to be replaced someday when there is a suitable replacement import sun.net.dns.ResolverConfiguration; import sun.net.util.IPAddressUtil; -import sun.security.jgss.krb5.Krb5Util; -import sun.security.krb5.Credentials; -import sun.security.krb5.PrincipalName; public class SecurityUtil { public static final Log LOG = LogFactory.getLog(SecurityUtil.class); @@ -128,12 +129,41 @@ public class SecurityUtil { String serviceName = "host/" + remoteHost.getHost(); if (LOG.isDebugEnabled()) LOG.debug("Fetching service ticket for host at: " + serviceName); - Credentials serviceCred = null; + Object serviceCred = null; + Method credsToTicketMeth; + Class<?> krb5utilClass; try { - PrincipalName principal = new PrincipalName(serviceName, - PrincipalName.KRB_NT_SRV_HST); - serviceCred = Credentials.acquireServiceCreds(principal - .toString(), Krb5Util.ticketToCreds(getTgtFromSubject())); + Class<?> principalClass; + Class<?> credentialsClass; + + if (System.getProperty("java.vendor").contains("IBM")) { + principalClass = Class.forName("com.ibm.security.krb5.PrincipalName"); + + credentialsClass = Class.forName("com.ibm.security.krb5.Credentials"); + krb5utilClass = Class.forName("com.ibm.security.jgss.mech.krb5"); + } else { + principalClass = Class.forName("sun.security.krb5.PrincipalName"); + credentialsClass = Class.forName("sun.security.krb5.Credentials"); + krb5utilClass = Class.forName("sun.security.jgss.krb5"); + } + @SuppressWarnings("rawtypes") + Constructor principalConstructor = principalClass.getConstructor(String.class, + int.class); + Field KRB_NT_SRV_HST = principalClass.getDeclaredField("KRB_NT_SRV_HST"); + Method acquireServiceCredsMeth = + credentialsClass.getDeclaredMethod("acquireServiceCreds", + String.class, credentialsClass); + Method ticketToCredsMeth = krb5utilClass.getDeclaredMethod("ticketToCreds", + KerberosTicket.class); + credsToTicketMeth = krb5utilClass.getDeclaredMethod("credsToTicket", + credentialsClass); + + Object principal = principalConstructor.newInstance(serviceName, + KRB_NT_SRV_HST.get(principalClass)); + + serviceCred = acquireServiceCredsMeth.invoke(credentialsClass, + principal.toString(), + ticketToCredsMeth.invoke(krb5utilClass, getTgtFromSubject())); } catch (Exception e) { throw new IOException("Can't get service ticket for: " + serviceName, e); @@ -141,8 +171,13 @@ public class SecurityUtil { if (serviceCred == null) { throw new IOException("Can't get service ticket for " + serviceName); } - Subject.getSubject(AccessController.getContext()).getPrivateCredentials() - .add(Krb5Util.credsToTicket(serviceCred)); + try { + Subject.getSubject(AccessController.getContext()).getPrivateCredentials() + .add(credsToTicketMeth.invoke(krb5utilClass, serviceCred)); + } catch (Exception e) { + throw new IOException("Can't get service ticket for: " + + serviceName, e); + } } /** Modified: hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/UserGroupInformation.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/UserGroupInformation.java?rev=1303018&r1=1303017&r2=1303018&view=diff ============================================================================== --- hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/UserGroupInformation.java (original) +++ hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/UserGroupInformation.java Tue Mar 20 17:19:45 2012 @@ -51,14 +51,11 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.fs.Path; +import org.apache.hadoop.security.authentication.util.KerberosUtil; import org.apache.hadoop.security.token.Token; import org.apache.hadoop.security.token.TokenIdentifier; import org.apache.hadoop.util.Shell; -import com.sun.security.auth.NTUserPrincipal; -import com.sun.security.auth.UnixPrincipal; -import com.sun.security.auth.module.Krb5LoginModule; - /** * User and group information for Hadoop. * This class wraps around a JAAS Subject and provides methods to determine the @@ -253,22 +250,53 @@ public class UserGroupInformation { private final boolean isKeytab; private final boolean isKrbTkt; - private static final String OS_LOGIN_MODULE_NAME; - private static final Class<? extends Principal> OS_PRINCIPAL_CLASS; + private static String OS_LOGIN_MODULE_NAME; + private static Class<? extends Principal> OS_PRINCIPAL_CLASS; private static final boolean windows = System.getProperty("os.name").startsWith("Windows"); private static Thread renewerThread = null; private static volatile boolean shouldRunRenewerThread = true; - static { - if (windows) { - OS_LOGIN_MODULE_NAME = "com.sun.security.auth.module.NTLoginModule"; - OS_PRINCIPAL_CLASS = NTUserPrincipal.class; + /* Return the OS login module class name */ + private static String getOSLoginModuleName() { + if (System.getProperty("java.vendor").contains("IBM")) { + return windows ? "com.ibm.security.auth.module.NTLoginModule" + : "com.ibm.security.auth.module.LinuxLoginModule"; } else { - OS_LOGIN_MODULE_NAME = "com.sun.security.auth.module.UnixLoginModule"; - OS_PRINCIPAL_CLASS = UnixPrincipal.class; + return windows ? "com.sun.security.auth.module.NTLoginModule" + : "com.sun.security.auth.module.UnixLoginModule"; } } + + /* Return the OS principal class */ + @SuppressWarnings("unchecked") + private static Class<? extends Principal> getOsPrincipalClass() { + ClassLoader cl = ClassLoader.getSystemClassLoader(); + try { + if (System.getProperty("java.vendor").contains("IBM")) { + if (windows) { + return (Class<? extends Principal>) + cl.loadClass("com.ibm.security.auth.UsernamePrincipal"); + } else { + return (Class<? extends Principal>) + (System.getProperty("os.arch").contains("64") + ? cl.loadClass("com.ibm.security.auth.UsernamePrincipal") + : cl.loadClass("com.ibm.security.auth.LinuxPrincipal")); + } + } else { + return (Class<? extends Principal>) (windows + ? cl.loadClass("com.sun.security.auth.NTUserPrincipal") + : cl.loadClass("com.sun.security.auth.UnixPrincipal")); + } + } catch (ClassNotFoundException e) { + LOG.error("Unable to find JAAS classes:" + e.getMessage()); + } + return null; + } + static { + OS_LOGIN_MODULE_NAME = getOSLoginModuleName(); + OS_PRINCIPAL_CLASS = getOsPrincipalClass(); + } private static class RealUser implements Principal { private final UserGroupInformation realUser; @@ -339,7 +367,7 @@ public class UserGroupInformation { } } private static final AppConfigurationEntry USER_KERBEROS_LOGIN = - new AppConfigurationEntry(Krb5LoginModule.class.getName(), + new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(), LoginModuleControlFlag.OPTIONAL, USER_KERBEROS_OPTIONS); private static final Map<String,String> KEYTAB_KERBEROS_OPTIONS = @@ -350,7 +378,7 @@ public class UserGroupInformation { KEYTAB_KERBEROS_OPTIONS.put("storeKey", "true"); } private static final AppConfigurationEntry KEYTAB_KERBEROS_LOGIN = - new AppConfigurationEntry(Krb5LoginModule.class.getName(), + new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(), LoginModuleControlFlag.REQUIRED, KEYTAB_KERBEROS_OPTIONS); Modified: hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java?rev=1303018&r1=1303017&r2=1303018&view=diff ============================================================================== --- hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java (original) +++ hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java Tue Mar 20 17:19:45 2012 @@ -13,12 +13,12 @@ */ package org.apache.hadoop.security.authentication.client; -import com.sun.security.auth.module.Krb5LoginModule; import org.apache.commons.codec.binary.Base64; +import org.apache.hadoop.security.authentication.util.KerberosUtil; import org.ietf.jgss.GSSContext; import org.ietf.jgss.GSSManager; import org.ietf.jgss.GSSName; -import sun.security.jgss.GSSUtil; +import org.ietf.jgss.Oid; import javax.security.auth.Subject; import javax.security.auth.login.AppConfigurationEntry; @@ -26,6 +26,7 @@ import javax.security.auth.login.Configu import javax.security.auth.login.LoginContext; import javax.security.auth.login.LoginException; import java.io.IOException; +import java.lang.reflect.Field; import java.net.HttpURLConnection; import java.net.URL; import java.security.AccessControlContext; @@ -97,7 +98,7 @@ public class KerberosAuthenticator imple } private static final AppConfigurationEntry USER_KERBEROS_LOGIN = - new AppConfigurationEntry(Krb5LoginModule.class.getName(), + new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(), AppConfigurationEntry.LoginModuleControlFlag.OPTIONAL, USER_KERBEROS_OPTIONS); @@ -109,7 +110,7 @@ public class KerberosAuthenticator imple return USER_KERBEROS_CONF; } } - + private URL url; private HttpURLConnection conn; private Base64 base64; @@ -195,9 +196,12 @@ public class KerberosAuthenticator imple try { GSSManager gssManager = GSSManager.getInstance(); String servicePrincipal = "HTTP/" + KerberosAuthenticator.this.url.getHost(); + GSSName serviceName = gssManager.createName(servicePrincipal, - GSSUtil.NT_GSS_KRB5_PRINCIPAL); - gssContext = gssManager.createContext(serviceName, GSSUtil.GSS_KRB5_MECH_OID, null, + GSSName.NT_HOSTBASED_SERVICE); + Oid oid = KerberosUtil.getOidClassInstance(servicePrincipal, + gssManager); + gssContext = gssManager.createContext(serviceName, oid, null, GSSContext.DEFAULT_LIFETIME); gssContext.requestCredDeleg(true); gssContext.requestMutualAuth(true); Modified: hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java?rev=1303018&r1=1303017&r2=1303018&view=diff ============================================================================== --- hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java (original) +++ hadoop/common/branches/branch-1.0/src/core/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java Tue Mar 20 17:19:45 2012 @@ -15,9 +15,9 @@ package org.apache.hadoop.security.authe import org.apache.hadoop.security.authentication.client.AuthenticationException; import org.apache.hadoop.security.authentication.client.KerberosAuthenticator; -import com.sun.security.auth.module.Krb5LoginModule; import org.apache.commons.codec.binary.Base64; import org.apache.hadoop.security.KerberosName; +import org.apache.hadoop.security.authentication.util.KerberosUtil; import org.ietf.jgss.GSSContext; import org.ietf.jgss.GSSCredential; import org.ietf.jgss.GSSManager; @@ -93,7 +93,7 @@ public class KerberosAuthenticationHandl } return new AppConfigurationEntry[]{ - new AppConfigurationEntry(Krb5LoginModule.class.getName(), + new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options),}; } Propchange: hadoop/common/branches/branch-1.0/src/mapred/ ------------------------------------------------------------------------------ Merged /hadoop/common/branches/branch-1/src/mapred:r1303017 Modified: hadoop/common/branches/branch-1.0/src/test/org/apache/hadoop/security/authentication/KerberosTestUtils.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-1.0/src/test/org/apache/hadoop/security/authentication/KerberosTestUtils.java?rev=1303018&r1=1303017&r2=1303018&view=diff ============================================================================== --- hadoop/common/branches/branch-1.0/src/test/org/apache/hadoop/security/authentication/KerberosTestUtils.java (original) +++ hadoop/common/branches/branch-1.0/src/test/org/apache/hadoop/security/authentication/KerberosTestUtils.java Tue Mar 20 17:19:45 2012 @@ -13,13 +13,15 @@ */ package org.apache.hadoop.security.authentication; -import com.sun.security.auth.module.Krb5LoginModule; import javax.security.auth.Subject; import javax.security.auth.kerberos.KerberosPrincipal; import javax.security.auth.login.AppConfigurationEntry; import javax.security.auth.login.Configuration; import javax.security.auth.login.LoginContext; + +import org.apache.hadoop.security.authentication.util.KerberosUtil; + import java.io.File; import java.security.Principal; import java.security.PrivilegedActionException; @@ -88,7 +90,7 @@ public class KerberosTestUtils { options.put("debug", "true"); return new AppConfigurationEntry[]{ - new AppConfigurationEntry(Krb5LoginModule.class.getName(), + new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options),}; } Modified: hadoop/common/branches/branch-1.0/src/test/org/apache/hadoop/security/authentication/server/TestKerberosAuthenticationHandler.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-1.0/src/test/org/apache/hadoop/security/authentication/server/TestKerberosAuthenticationHandler.java?rev=1303018&r1=1303017&r2=1303018&view=diff ============================================================================== --- hadoop/common/branches/branch-1.0/src/test/org/apache/hadoop/security/authentication/server/TestKerberosAuthenticationHandler.java (original) +++ hadoop/common/branches/branch-1.0/src/test/org/apache/hadoop/security/authentication/server/TestKerberosAuthenticationHandler.java Tue Mar 20 17:19:45 2012 @@ -18,15 +18,17 @@ import org.apache.hadoop.security.authen import org.apache.hadoop.security.authentication.client.KerberosAuthenticator; import junit.framework.TestCase; import org.apache.commons.codec.binary.Base64; +import org.apache.hadoop.security.authentication.util.KerberosUtil; import org.ietf.jgss.GSSContext; import org.ietf.jgss.GSSManager; import org.ietf.jgss.GSSName; import org.junit.Ignore; import org.mockito.Mockito; -import sun.security.jgss.GSSUtil; +import org.ietf.jgss.Oid; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import java.lang.reflect.Field; import java.util.Properties; import java.util.concurrent.Callable; @@ -116,9 +118,12 @@ public class TestKerberosAuthenticationH GSSContext gssContext = null; try { String servicePrincipal = KerberosTestUtils.getServerPrincipal(); - GSSName serviceName = gssManager.createName(servicePrincipal, GSSUtil.NT_GSS_KRB5_PRINCIPAL); - gssContext = gssManager.createContext(serviceName, GSSUtil.GSS_KRB5_MECH_OID, null, - GSSContext.DEFAULT_LIFETIME); + GSSName serviceName = gssManager.createName(servicePrincipal, + GSSName.NT_HOSTBASED_SERVICE); + Oid oid = KerberosUtil.getOidClassInstance(servicePrincipal, + gssManager); + gssContext = gssManager.createContext(serviceName, oid, null, + GSSContext.DEFAULT_LIFETIME); gssContext.requestCredDeleg(true); gssContext.requestMutualAuth(true);