From 52217fce3d2a553c8850b7a1886340ae5a092436 Mon Sep 17 00:00:00 2001
From: Akira Ajisaka <aajisaka@apache.org>
Date: Fri, 5 Feb 2021 16:14:10 +0900
Subject: [PATCH] HADOOP-17432. [JDK 16] KerberosUtil#getOidInstance is broken
 by JEP 396 (#2546)

Reviewed-by: Steve Loughran <stevel@apache.org>
---
 .../authentication/util/KerberosUtil.java     | 37 +++++++++++--------
 .../TestKerberosAuthenticationHandler.java    |  5 +--
 .../hadoop/yarn/service/utils/HttpUtil.java   | 12 ++----
 .../yarn/client/util/YarnClientUtils.java     | 10 ++---
 4 files changed, 31 insertions(+), 33 deletions(-)

diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosUtil.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosUtil.java
index 4319aa5b0d..95f0106a24 100644
--- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosUtil.java
+++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosUtil.java
@@ -22,7 +22,6 @@
 import java.io.File;
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
-import java.lang.reflect.Field;
 import java.lang.reflect.InvocationTargetException;
 import java.net.InetAddress;
 import java.net.UnknownHostException;
@@ -73,21 +72,29 @@ private static Oid getNumericOidInstance(String oidName) {
     }
   }
 
-  public static Oid getOidInstance(String oidName) 
-      throws ClassNotFoundException, GSSException, NoSuchFieldException,
-      IllegalAccessException {
-    Class<?> oidClass;
-    if (IBM_JAVA) {
-      if ("NT_GSS_KRB5_PRINCIPAL".equals(oidName)) {
-        // IBM JDK GSSUtil class does not have field for krb5 principal oid
-        return new Oid("1.2.840.113554.1.2.2.1");
-      }
-      oidClass = Class.forName("com.ibm.security.jgss.GSSUtil");
-    } else {
-      oidClass = Class.forName("sun.security.jgss.GSSUtil");
+  /**
+   * Returns the Oid instance from string oidName.
+   * Use {@link GSS_SPNEGO_MECH_OID}, {@link GSS_KRB5_MECH_OID},
+   * or {@link NT_GSS_KRB5_PRINCIPAL_OID} instead.
+   *
+   * @return Oid instance
+   * @param oidName The oid Name
+   * @throws NoSuchFieldException if the input is not supported.
+   */
+  @Deprecated
+  public static Oid getOidInstance(String oidName)
+      throws NoSuchFieldException {
+    switch (oidName) {
+    case "GSS_SPNEGO_MECH_OID":
+      return GSS_SPNEGO_MECH_OID;
+    case "GSS_KRB5_MECH_OID":
+      return GSS_KRB5_MECH_OID;
+    case "NT_GSS_KRB5_PRINCIPAL":
+      return NT_GSS_KRB5_PRINCIPAL_OID;
+    default:
+      throw new NoSuchFieldException(
+          "oidName: " + oidName + " is not supported.");
     }
-    Field oidField = oidClass.getDeclaredField(oidName);
-    return (Oid)oidField.get(oidClass);
   }
 
   /**
diff --git a/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestKerberosAuthenticationHandler.java b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestKerberosAuthenticationHandler.java
index 629b68bffb..f10371b925 100644
--- a/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestKerberosAuthenticationHandler.java
+++ b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestKerberosAuthenticationHandler.java
@@ -301,11 +301,10 @@ public String call() throws Exception {
         GSSContext gssContext = null;
         try {
           String servicePrincipal = KerberosTestUtils.getServerPrincipal();
-          Oid oid =
-              KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL");
+          Oid oid = KerberosUtil.NT_GSS_KRB5_PRINCIPAL_OID;
           GSSName serviceName = gssManager.createName(servicePrincipal,
               oid);
-          oid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID");
+          oid = KerberosUtil.GSS_KRB5_MECH_OID;
           gssContext = gssManager.createContext(serviceName, oid, null,
                                                   GSSContext.DEFAULT_LIFETIME);
           gssContext.requestCredDeleg(true);
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-core/src/main/java/org/apache/hadoop/yarn/service/utils/HttpUtil.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-core/src/main/java/org/apache/hadoop/yarn/service/utils/HttpUtil.java
index ac5c079b60..11190ebb53 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-core/src/main/java/org/apache/hadoop/yarn/service/utils/HttpUtil.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-core/src/main/java/org/apache/hadoop/yarn/service/utils/HttpUtil.java
@@ -30,12 +30,10 @@
 import org.apache.commons.codec.binary.Base64;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.authentication.client.AuthenticationException;
-import org.apache.hadoop.security.authentication.util.KerberosUtil;
 import org.ietf.jgss.GSSContext;
 import org.ietf.jgss.GSSException;
 import org.ietf.jgss.GSSManager;
 import org.ietf.jgss.GSSName;
-import org.ietf.jgss.Oid;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -72,8 +70,6 @@ public static String generateToken(String server) throws
           @Override
           public String run() throws Exception {
             try {
-              // This Oid for Kerberos GSS-API mechanism.
-              Oid mechOid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID");
               GSSManager manager = GSSManager.getInstance();
               // GSS name for server
               GSSName serverName = manager.createName("HTTP@" + server,
@@ -81,8 +77,9 @@ public String run() throws Exception {
               // Create a GSSContext for authentication with the service.
               // We're passing client credentials as null since we want them to
               // be read from the Subject.
+              // We're passing Oid as null to use the default.
               GSSContext gssContext = manager.createContext(
-                  serverName.canonicalize(mechOid), mechOid, null,
+                  serverName.canonicalize(null), null, null,
                   GSSContext.DEFAULT_LIFETIME);
               gssContext.requestMutualAuth(true);
               gssContext.requestCredDeleg(true);
@@ -95,9 +92,8 @@ public String run() throws Exception {
               LOG.debug("Got valid challenge for host {}", serverName);
               return new String(BASE_64_CODEC.encode(outToken),
                   StandardCharsets.US_ASCII);
-            } catch (GSSException | IllegalAccessException
-                | NoSuchFieldException | ClassNotFoundException e) {
-              LOG.error("Error: {}", e);
+            } catch (GSSException e) {
+              LOG.error("Error: ", e);
               throw new AuthenticationException(e);
             }
           }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/util/YarnClientUtils.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/util/YarnClientUtils.java
index 109e3c04a5..50a1a0b6c7 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/util/YarnClientUtils.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/util/YarnClientUtils.java
@@ -31,7 +31,6 @@
 import org.apache.hadoop.security.SecurityUtil;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.authentication.client.AuthenticationException;
-import org.apache.hadoop.security.authentication.util.KerberosUtil;
 import org.apache.hadoop.yarn.api.records.NodeLabel;
 import org.apache.hadoop.yarn.conf.HAUtil;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
@@ -39,7 +38,6 @@
 import org.ietf.jgss.GSSException;
 import org.ietf.jgss.GSSManager;
 import org.ietf.jgss.GSSName;
-import org.ietf.jgss.Oid;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -222,8 +220,6 @@ public static String generateToken(String server) throws IOException,
           @Override
           public String run() throws Exception {
             try {
-              // This Oid for Kerberos GSS-API mechanism.
-              Oid mechOid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID");
               GSSManager manager = GSSManager.getInstance();
               // GSS name for server
               GSSName serverName = manager.createName("HTTP@" + server,
@@ -231,8 +227,9 @@ public String run() throws Exception {
               // Create a GSSContext for authentication with the service.
               // We're passing client credentials as null since we want them to
               // be read from the Subject.
+              // We're passing Oid as null to use the default.
               GSSContext gssContext = manager.createContext(
-                  serverName.canonicalize(mechOid), mechOid, null,
+                  serverName.canonicalize(null), null, null,
                   GSSContext.DEFAULT_LIFETIME);
               gssContext.requestMutualAuth(true);
               gssContext.requestCredDeleg(true);
@@ -245,8 +242,7 @@ public String run() throws Exception {
               LOG.debug("Got valid challenge for host {}", serverName);
               return new String(BASE_64_CODEC.encode(outToken),
                   StandardCharsets.US_ASCII);
-            } catch (GSSException | IllegalAccessException
-                | NoSuchFieldException | ClassNotFoundException e) {
+            } catch (GSSException e) {
               LOG.error("Error: ", e);
               throw new AuthenticationException(e);
             }