HADOOP-13558. UserGroupInformation created from a Subject incorrectly tries to renew the Kerberos ticket. Contributed by Xiao Chen.
This commit is contained in:
parent
5f23abfa30
commit
680be58aac
@ -632,9 +632,24 @@ private void setLogin(LoginContext login) {
|
||||
* @param subject the user's subject
|
||||
*/
|
||||
UserGroupInformation(Subject subject) {
|
||||
this(subject, false);
|
||||
}
|
||||
|
||||
/**
|
||||
* Create a UGI from the given subject.
|
||||
* @param subject the subject
|
||||
* @param externalKeyTab if the subject's keytab is managed by the user.
|
||||
* Setting this to true will prevent UGI from attempting
|
||||
* to login the keytab, or to renew it.
|
||||
*/
|
||||
private UserGroupInformation(Subject subject, final boolean externalKeyTab) {
|
||||
this.subject = subject;
|
||||
this.user = subject.getPrincipals(User.class).iterator().next();
|
||||
this.isKeytab = KerberosUtil.hasKerberosKeyTab(subject);
|
||||
if (externalKeyTab) {
|
||||
this.isKeytab = false;
|
||||
} else {
|
||||
this.isKeytab = KerberosUtil.hasKerberosKeyTab(subject);
|
||||
}
|
||||
this.isKrbTkt = KerberosUtil.hasKerberosTicket(subject);
|
||||
}
|
||||
|
||||
@ -850,10 +865,11 @@ static void loginUserFromSubject(Subject subject) throws IOException {
|
||||
newLoginContext(authenticationMethod.getLoginAppName(),
|
||||
subject, new HadoopConfiguration());
|
||||
login.login();
|
||||
UserGroupInformation realUser = new UserGroupInformation(subject);
|
||||
LOG.debug("Assuming keytab is managed externally since logged in from"
|
||||
+ " subject.");
|
||||
UserGroupInformation realUser = new UserGroupInformation(subject, true);
|
||||
realUser.setLogin(login);
|
||||
realUser.setAuthenticationMethod(authenticationMethod);
|
||||
realUser = new UserGroupInformation(login.getSubject());
|
||||
// If the HADOOP_PROXY_USER environment variable or property
|
||||
// is specified, create a proxy user as the logged in user.
|
||||
String proxyUser = System.getenv(HADOOP_PROXY_USER);
|
||||
|
@ -37,6 +37,7 @@
|
||||
|
||||
import javax.security.auth.Subject;
|
||||
import javax.security.auth.kerberos.KerberosPrincipal;
|
||||
import javax.security.auth.kerberos.KeyTab;
|
||||
import javax.security.auth.login.AppConfigurationEntry;
|
||||
import javax.security.auth.login.LoginContext;
|
||||
|
||||
@ -1030,4 +1031,27 @@ public void testExternalTokenFiles() throws Exception {
|
||||
assertTrue(credsugiTokens.contains(token1));
|
||||
assertTrue(credsugiTokens.contains(token2));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testCheckTGTAfterLoginFromSubject() throws Exception {
|
||||
// security on, default is remove default realm
|
||||
SecurityUtil.setAuthenticationMethod(AuthenticationMethod.KERBEROS, conf);
|
||||
UserGroupInformation.setConfiguration(conf);
|
||||
|
||||
// Login from a pre-set subject with a keytab
|
||||
final Subject subject = new Subject();
|
||||
KeyTab keytab = KeyTab.getInstance();
|
||||
subject.getPrivateCredentials().add(keytab);
|
||||
UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
|
||||
ugi.doAs(new PrivilegedExceptionAction<Void>() {
|
||||
@Override
|
||||
public Void run() throws IOException {
|
||||
UserGroupInformation.loginUserFromSubject(subject);
|
||||
// this should not throw.
|
||||
UserGroupInformation.getLoginUser().checkTGTAndReloginFromKeytab();
|
||||
return null;
|
||||
}
|
||||
});
|
||||
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user