HADOOP-17432. [JDK 16] KerberosUtil#getOidInstance is broken by JEP 396 (#2546)

Reviewed-by: Steve Loughran <stevel@apache.org>
(cherry picked from commit 52217fce3d)
This commit is contained in:
Akira Ajisaka 2021-02-05 16:14:10 +09:00
parent ae80fc2477
commit bdd22b61c2
No known key found for this signature in database
GPG Key ID: C1EDBB9CA400FD50
4 changed files with 31 additions and 33 deletions

View File

@ -22,7 +22,6 @@
import java.io.File;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.net.InetAddress;
import java.net.UnknownHostException;
@ -73,21 +72,29 @@ private static Oid getNumericOidInstance(String oidName) {
}
}
public static Oid getOidInstance(String oidName)
throws ClassNotFoundException, GSSException, NoSuchFieldException,
IllegalAccessException {
Class<?> oidClass;
if (IBM_JAVA) {
if ("NT_GSS_KRB5_PRINCIPAL".equals(oidName)) {
// IBM JDK GSSUtil class does not have field for krb5 principal oid
return new Oid("1.2.840.113554.1.2.2.1");
}
oidClass = Class.forName("com.ibm.security.jgss.GSSUtil");
} else {
oidClass = Class.forName("sun.security.jgss.GSSUtil");
/**
* Returns the Oid instance from string oidName.
* Use {@link GSS_SPNEGO_MECH_OID}, {@link GSS_KRB5_MECH_OID},
* or {@link NT_GSS_KRB5_PRINCIPAL_OID} instead.
*
* @return Oid instance
* @param oidName The oid Name
* @throws NoSuchFieldException if the input is not supported.
*/
@Deprecated
public static Oid getOidInstance(String oidName)
throws NoSuchFieldException {
switch (oidName) {
case "GSS_SPNEGO_MECH_OID":
return GSS_SPNEGO_MECH_OID;
case "GSS_KRB5_MECH_OID":
return GSS_KRB5_MECH_OID;
case "NT_GSS_KRB5_PRINCIPAL":
return NT_GSS_KRB5_PRINCIPAL_OID;
default:
throw new NoSuchFieldException(
"oidName: " + oidName + " is not supported.");
}
Field oidField = oidClass.getDeclaredField(oidName);
return (Oid)oidField.get(oidClass);
}
/**

View File

@ -301,11 +301,10 @@ public String call() throws Exception {
GSSContext gssContext = null;
try {
String servicePrincipal = KerberosTestUtils.getServerPrincipal();
Oid oid =
KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL");
Oid oid = KerberosUtil.NT_GSS_KRB5_PRINCIPAL_OID;
GSSName serviceName = gssManager.createName(servicePrincipal,
oid);
oid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID");
oid = KerberosUtil.GSS_KRB5_MECH_OID;
gssContext = gssManager.createContext(serviceName, oid, null,
GSSContext.DEFAULT_LIFETIME);
gssContext.requestCredDeleg(true);

View File

@ -30,12 +30,10 @@
import org.apache.commons.codec.binary.Base64;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.hadoop.security.authentication.util.KerberosUtil;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@ -72,8 +70,6 @@ public static String generateToken(String server) throws
@Override
public String run() throws Exception {
try {
// This Oid for Kerberos GSS-API mechanism.
Oid mechOid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID");
GSSManager manager = GSSManager.getInstance();
// GSS name for server
GSSName serverName = manager.createName("HTTP@" + server,
@ -81,8 +77,9 @@ public String run() throws Exception {
// Create a GSSContext for authentication with the service.
// We're passing client credentials as null since we want them to
// be read from the Subject.
// We're passing Oid as null to use the default.
GSSContext gssContext = manager.createContext(
serverName.canonicalize(mechOid), mechOid, null,
serverName.canonicalize(null), null, null,
GSSContext.DEFAULT_LIFETIME);
gssContext.requestMutualAuth(true);
gssContext.requestCredDeleg(true);
@ -95,9 +92,8 @@ public String run() throws Exception {
LOG.debug("Got valid challenge for host {}", serverName);
return new String(BASE_64_CODEC.encode(outToken),
StandardCharsets.US_ASCII);
} catch (GSSException | IllegalAccessException
| NoSuchFieldException | ClassNotFoundException e) {
LOG.error("Error: {}", e);
} catch (GSSException e) {
LOG.error("Error: ", e);
throw new AuthenticationException(e);
}
}

View File

@ -31,7 +31,6 @@
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.hadoop.security.authentication.util.KerberosUtil;
import org.apache.hadoop.yarn.api.records.NodeLabel;
import org.apache.hadoop.yarn.conf.HAUtil;
import org.apache.hadoop.yarn.conf.YarnConfiguration;
@ -39,7 +38,6 @@
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@ -222,8 +220,6 @@ public static String generateToken(String server) throws IOException,
@Override
public String run() throws Exception {
try {
// This Oid for Kerberos GSS-API mechanism.
Oid mechOid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID");
GSSManager manager = GSSManager.getInstance();
// GSS name for server
GSSName serverName = manager.createName("HTTP@" + server,
@ -231,8 +227,9 @@ public String run() throws Exception {
// Create a GSSContext for authentication with the service.
// We're passing client credentials as null since we want them to
// be read from the Subject.
// We're passing Oid as null to use the default.
GSSContext gssContext = manager.createContext(
serverName.canonicalize(mechOid), mechOid, null,
serverName.canonicalize(null), null, null,
GSSContext.DEFAULT_LIFETIME);
gssContext.requestMutualAuth(true);
gssContext.requestCredDeleg(true);
@ -245,8 +242,7 @@ public String run() throws Exception {
LOG.debug("Got valid challenge for host {}", serverName);
return new String(BASE_64_CODEC.encode(outToken),
StandardCharsets.US_ASCII);
} catch (GSSException | IllegalAccessException
| NoSuchFieldException | ClassNotFoundException e) {
} catch (GSSException e) {
LOG.error("Error: ", e);
throw new AuthenticationException(e);
}