HADOOP-6649. login object in UGI should be inside the subject (jnp via boryas)
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@951618 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
bb29ad17db
commit
56b15e9e8f
@ -65,6 +65,8 @@ Trunk (unreleased changes)
|
||||
glob pattern code less restrictive and more POSIX standard
|
||||
compliant. (Luke Lu via eli)
|
||||
|
||||
HADOOP-6649. login object in UGI should be inside the subject (jnp via boryas)
|
||||
|
||||
Release 0.21.0 - Unreleased
|
||||
|
||||
INCOMPATIBLE CHANGES
|
||||
|
@ -19,6 +19,8 @@
|
||||
|
||||
import java.security.Principal;
|
||||
|
||||
import javax.security.auth.login.LoginContext;
|
||||
|
||||
import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
|
||||
|
||||
/**
|
||||
@ -29,12 +31,13 @@ class User implements Principal {
|
||||
private final String fullName;
|
||||
private final String shortName;
|
||||
private AuthenticationMethod authMethod = null;
|
||||
private LoginContext login = null;
|
||||
|
||||
public User(String name) {
|
||||
this(name, null);
|
||||
this(name, null, null);
|
||||
}
|
||||
|
||||
public User(String name, AuthenticationMethod authMethod) {
|
||||
public User(String name, AuthenticationMethod authMethod, LoginContext login) {
|
||||
fullName = name;
|
||||
int atIdx = name.indexOf('@');
|
||||
if (atIdx == -1) {
|
||||
@ -48,6 +51,7 @@ public User(String name, AuthenticationMethod authMethod) {
|
||||
}
|
||||
}
|
||||
this.authMethod = authMethod;
|
||||
this.login = login;
|
||||
}
|
||||
|
||||
/**
|
||||
@ -94,4 +98,20 @@ public void setAuthenticationMethod(AuthenticationMethod authMethod) {
|
||||
public AuthenticationMethod getAuthenticationMethod() {
|
||||
return authMethod;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns login object
|
||||
* @return login
|
||||
*/
|
||||
public LoginContext getLogin() {
|
||||
return login;
|
||||
}
|
||||
|
||||
/**
|
||||
* Set the login object
|
||||
* @param login
|
||||
*/
|
||||
public void setLogin(LoginContext login) {
|
||||
this.login = login;
|
||||
}
|
||||
}
|
||||
|
@ -206,8 +206,6 @@ public static boolean isSecurityEnabled() {
|
||||
|
||||
private final Subject subject;
|
||||
|
||||
private LoginContext login;
|
||||
|
||||
private static final String OS_LOGIN_MODULE_NAME;
|
||||
private static final Class<? extends Principal> OS_PRINCIPAL_CLASS;
|
||||
private static final boolean windows =
|
||||
@ -330,6 +328,19 @@ public AppConfigurationEntry[] getAppConfigurationEntry(String appName) {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
private LoginContext getLogin() {
|
||||
for (User p: subject.getPrincipals(User.class)) {
|
||||
return p.getLogin();
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
private void setLogin(LoginContext login) {
|
||||
for (User p: subject.getPrincipals(User.class)) {
|
||||
p.setLogin(login);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Create a UserGroupInformation for the given subject.
|
||||
@ -371,7 +382,7 @@ static UserGroupInformation getLoginUser() throws IOException {
|
||||
subject);
|
||||
}
|
||||
login.login();
|
||||
loginUser.login = login;
|
||||
loginUser.setLogin(login);
|
||||
loginUser = new UserGroupInformation(login.getSubject());
|
||||
String tokenFile = System.getenv(HADOOP_TOKEN_FILE_LOCATION);
|
||||
if (tokenFile != null && isSecurityEnabled()) {
|
||||
@ -407,7 +418,7 @@ static void loginUserFromKeytab(String user,
|
||||
new LoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, subject);
|
||||
login.login();
|
||||
loginUser = new UserGroupInformation(subject);
|
||||
loginUser.login = login;
|
||||
loginUser.setLogin(login);
|
||||
} catch (LoginException le) {
|
||||
throw new IOException("Login failure for " + user + " from keytab " +
|
||||
path, le);
|
||||
@ -427,6 +438,7 @@ public synchronized void reloginFromKeytab()
|
||||
throws IOException {
|
||||
if (!isSecurityEnabled())
|
||||
return;
|
||||
LoginContext login = getLogin();
|
||||
if (login == null || keytabFile == null) {
|
||||
throw new IOException("loginUserFromKeyTab must be done first");
|
||||
}
|
||||
@ -452,6 +464,7 @@ public synchronized void reloginFromKeytab()
|
||||
getSubject());
|
||||
LOG.info("Initiating re-login for " + keytabPrincipal);
|
||||
login.login();
|
||||
setLogin(login);
|
||||
} catch (LoginException le) {
|
||||
throw new IOException("Login failure for " + keytabPrincipal +
|
||||
" from keytab " + keytabFile, le);
|
||||
|
@ -32,6 +32,8 @@
|
||||
import java.util.Collection;
|
||||
import java.util.List;
|
||||
|
||||
import javax.security.auth.login.LoginContext;
|
||||
|
||||
import junit.framework.Assert;
|
||||
|
||||
import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
|
||||
@ -287,4 +289,17 @@ public Object run() throws IOException {
|
||||
"proxyAnother", realugi);
|
||||
Assert.assertEquals(proxyUgi3, proxyUgi4);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testLoginObjectInSubject() throws Exception {
|
||||
UserGroupInformation loginUgi = UserGroupInformation.getLoginUser();
|
||||
UserGroupInformation anotherUgi = new UserGroupInformation(loginUgi
|
||||
.getSubject());
|
||||
LoginContext login1 = loginUgi.getSubject().getPrincipals(User.class)
|
||||
.iterator().next().getLogin();
|
||||
LoginContext login2 = anotherUgi.getSubject().getPrincipals(User.class)
|
||||
.iterator().next().getLogin();
|
||||
//login1 and login2 must be same instances
|
||||
Assert.assertTrue(login1 == login2);
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user