diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java index fe6fbe437f..ed3a9d053e 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java @@ -632,9 +632,24 @@ private void setLogin(LoginContext login) { * @param subject the user's subject */ UserGroupInformation(Subject subject) { + this(subject, false); + } + + /** + * Create a UGI from the given subject. + * @param subject the subject + * @param externalKeyTab if the subject's keytab is managed by the user. + * Setting this to true will prevent UGI from attempting + * to login the keytab, or to renew it. + */ + private UserGroupInformation(Subject subject, final boolean externalKeyTab) { this.subject = subject; this.user = subject.getPrincipals(User.class).iterator().next(); - this.isKeytab = KerberosUtil.hasKerberosKeyTab(subject); + if (externalKeyTab) { + this.isKeytab = false; + } else { + this.isKeytab = KerberosUtil.hasKerberosKeyTab(subject); + } this.isKrbTkt = KerberosUtil.hasKerberosTicket(subject); } @@ -850,10 +865,11 @@ static void loginUserFromSubject(Subject subject) throws IOException { newLoginContext(authenticationMethod.getLoginAppName(), subject, new HadoopConfiguration()); login.login(); - UserGroupInformation realUser = new UserGroupInformation(subject); + LOG.debug("Assuming keytab is managed externally since logged in from" + + " subject."); + UserGroupInformation realUser = new UserGroupInformation(subject, true); realUser.setLogin(login); realUser.setAuthenticationMethod(authenticationMethod); - realUser = new UserGroupInformation(login.getSubject()); // If the HADOOP_PROXY_USER environment variable or property // is specified, create a proxy user as the logged in user. String proxyUser = System.getenv(HADOOP_PROXY_USER); diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java index a306d35533..e45d70db74 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java @@ -37,6 +37,7 @@ import javax.security.auth.Subject; import javax.security.auth.kerberos.KerberosPrincipal; +import javax.security.auth.kerberos.KeyTab; import javax.security.auth.login.AppConfigurationEntry; import javax.security.auth.login.LoginContext; @@ -1030,4 +1031,27 @@ public void testExternalTokenFiles() throws Exception { assertTrue(credsugiTokens.contains(token1)); assertTrue(credsugiTokens.contains(token2)); } + + @Test + public void testCheckTGTAfterLoginFromSubject() throws Exception { + // security on, default is remove default realm + SecurityUtil.setAuthenticationMethod(AuthenticationMethod.KERBEROS, conf); + UserGroupInformation.setConfiguration(conf); + + // Login from a pre-set subject with a keytab + final Subject subject = new Subject(); + KeyTab keytab = KeyTab.getInstance(); + subject.getPrivateCredentials().add(keytab); + UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); + ugi.doAs(new PrivilegedExceptionAction() { + @Override + public Void run() throws IOException { + UserGroupInformation.loginUserFromSubject(subject); + // this should not throw. + UserGroupInformation.getLoginUser().checkTGTAndReloginFromKeytab(); + return null; + } + }); + + } }