HADOOP-17432. [JDK 16] KerberosUtil#getOidInstance is broken by JEP 396 (#2546)
Reviewed-by: Steve Loughran <stevel@apache.org>
(cherry picked from commit 52217fce3d
)
This commit is contained in:
parent
ae80fc2477
commit
bdd22b61c2
@ -22,7 +22,6 @@
|
|||||||
import java.io.File;
|
import java.io.File;
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.io.UnsupportedEncodingException;
|
import java.io.UnsupportedEncodingException;
|
||||||
import java.lang.reflect.Field;
|
|
||||||
import java.lang.reflect.InvocationTargetException;
|
import java.lang.reflect.InvocationTargetException;
|
||||||
import java.net.InetAddress;
|
import java.net.InetAddress;
|
||||||
import java.net.UnknownHostException;
|
import java.net.UnknownHostException;
|
||||||
@ -73,21 +72,29 @@ private static Oid getNumericOidInstance(String oidName) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns the Oid instance from string oidName.
|
||||||
|
* Use {@link GSS_SPNEGO_MECH_OID}, {@link GSS_KRB5_MECH_OID},
|
||||||
|
* or {@link NT_GSS_KRB5_PRINCIPAL_OID} instead.
|
||||||
|
*
|
||||||
|
* @return Oid instance
|
||||||
|
* @param oidName The oid Name
|
||||||
|
* @throws NoSuchFieldException if the input is not supported.
|
||||||
|
*/
|
||||||
|
@Deprecated
|
||||||
public static Oid getOidInstance(String oidName)
|
public static Oid getOidInstance(String oidName)
|
||||||
throws ClassNotFoundException, GSSException, NoSuchFieldException,
|
throws NoSuchFieldException {
|
||||||
IllegalAccessException {
|
switch (oidName) {
|
||||||
Class<?> oidClass;
|
case "GSS_SPNEGO_MECH_OID":
|
||||||
if (IBM_JAVA) {
|
return GSS_SPNEGO_MECH_OID;
|
||||||
if ("NT_GSS_KRB5_PRINCIPAL".equals(oidName)) {
|
case "GSS_KRB5_MECH_OID":
|
||||||
// IBM JDK GSSUtil class does not have field for krb5 principal oid
|
return GSS_KRB5_MECH_OID;
|
||||||
return new Oid("1.2.840.113554.1.2.2.1");
|
case "NT_GSS_KRB5_PRINCIPAL":
|
||||||
|
return NT_GSS_KRB5_PRINCIPAL_OID;
|
||||||
|
default:
|
||||||
|
throw new NoSuchFieldException(
|
||||||
|
"oidName: " + oidName + " is not supported.");
|
||||||
}
|
}
|
||||||
oidClass = Class.forName("com.ibm.security.jgss.GSSUtil");
|
|
||||||
} else {
|
|
||||||
oidClass = Class.forName("sun.security.jgss.GSSUtil");
|
|
||||||
}
|
|
||||||
Field oidField = oidClass.getDeclaredField(oidName);
|
|
||||||
return (Oid)oidField.get(oidClass);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -301,11 +301,10 @@ public String call() throws Exception {
|
|||||||
GSSContext gssContext = null;
|
GSSContext gssContext = null;
|
||||||
try {
|
try {
|
||||||
String servicePrincipal = KerberosTestUtils.getServerPrincipal();
|
String servicePrincipal = KerberosTestUtils.getServerPrincipal();
|
||||||
Oid oid =
|
Oid oid = KerberosUtil.NT_GSS_KRB5_PRINCIPAL_OID;
|
||||||
KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL");
|
|
||||||
GSSName serviceName = gssManager.createName(servicePrincipal,
|
GSSName serviceName = gssManager.createName(servicePrincipal,
|
||||||
oid);
|
oid);
|
||||||
oid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID");
|
oid = KerberosUtil.GSS_KRB5_MECH_OID;
|
||||||
gssContext = gssManager.createContext(serviceName, oid, null,
|
gssContext = gssManager.createContext(serviceName, oid, null,
|
||||||
GSSContext.DEFAULT_LIFETIME);
|
GSSContext.DEFAULT_LIFETIME);
|
||||||
gssContext.requestCredDeleg(true);
|
gssContext.requestCredDeleg(true);
|
||||||
|
@ -30,12 +30,10 @@
|
|||||||
import org.apache.commons.codec.binary.Base64;
|
import org.apache.commons.codec.binary.Base64;
|
||||||
import org.apache.hadoop.security.UserGroupInformation;
|
import org.apache.hadoop.security.UserGroupInformation;
|
||||||
import org.apache.hadoop.security.authentication.client.AuthenticationException;
|
import org.apache.hadoop.security.authentication.client.AuthenticationException;
|
||||||
import org.apache.hadoop.security.authentication.util.KerberosUtil;
|
|
||||||
import org.ietf.jgss.GSSContext;
|
import org.ietf.jgss.GSSContext;
|
||||||
import org.ietf.jgss.GSSException;
|
import org.ietf.jgss.GSSException;
|
||||||
import org.ietf.jgss.GSSManager;
|
import org.ietf.jgss.GSSManager;
|
||||||
import org.ietf.jgss.GSSName;
|
import org.ietf.jgss.GSSName;
|
||||||
import org.ietf.jgss.Oid;
|
|
||||||
import org.slf4j.Logger;
|
import org.slf4j.Logger;
|
||||||
import org.slf4j.LoggerFactory;
|
import org.slf4j.LoggerFactory;
|
||||||
|
|
||||||
@ -72,8 +70,6 @@ public static String generateToken(String server) throws
|
|||||||
@Override
|
@Override
|
||||||
public String run() throws Exception {
|
public String run() throws Exception {
|
||||||
try {
|
try {
|
||||||
// This Oid for Kerberos GSS-API mechanism.
|
|
||||||
Oid mechOid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID");
|
|
||||||
GSSManager manager = GSSManager.getInstance();
|
GSSManager manager = GSSManager.getInstance();
|
||||||
// GSS name for server
|
// GSS name for server
|
||||||
GSSName serverName = manager.createName("HTTP@" + server,
|
GSSName serverName = manager.createName("HTTP@" + server,
|
||||||
@ -81,8 +77,9 @@ public String run() throws Exception {
|
|||||||
// Create a GSSContext for authentication with the service.
|
// Create a GSSContext for authentication with the service.
|
||||||
// We're passing client credentials as null since we want them to
|
// We're passing client credentials as null since we want them to
|
||||||
// be read from the Subject.
|
// be read from the Subject.
|
||||||
|
// We're passing Oid as null to use the default.
|
||||||
GSSContext gssContext = manager.createContext(
|
GSSContext gssContext = manager.createContext(
|
||||||
serverName.canonicalize(mechOid), mechOid, null,
|
serverName.canonicalize(null), null, null,
|
||||||
GSSContext.DEFAULT_LIFETIME);
|
GSSContext.DEFAULT_LIFETIME);
|
||||||
gssContext.requestMutualAuth(true);
|
gssContext.requestMutualAuth(true);
|
||||||
gssContext.requestCredDeleg(true);
|
gssContext.requestCredDeleg(true);
|
||||||
@ -95,9 +92,8 @@ public String run() throws Exception {
|
|||||||
LOG.debug("Got valid challenge for host {}", serverName);
|
LOG.debug("Got valid challenge for host {}", serverName);
|
||||||
return new String(BASE_64_CODEC.encode(outToken),
|
return new String(BASE_64_CODEC.encode(outToken),
|
||||||
StandardCharsets.US_ASCII);
|
StandardCharsets.US_ASCII);
|
||||||
} catch (GSSException | IllegalAccessException
|
} catch (GSSException e) {
|
||||||
| NoSuchFieldException | ClassNotFoundException e) {
|
LOG.error("Error: ", e);
|
||||||
LOG.error("Error: {}", e);
|
|
||||||
throw new AuthenticationException(e);
|
throw new AuthenticationException(e);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -31,7 +31,6 @@
|
|||||||
import org.apache.hadoop.security.SecurityUtil;
|
import org.apache.hadoop.security.SecurityUtil;
|
||||||
import org.apache.hadoop.security.UserGroupInformation;
|
import org.apache.hadoop.security.UserGroupInformation;
|
||||||
import org.apache.hadoop.security.authentication.client.AuthenticationException;
|
import org.apache.hadoop.security.authentication.client.AuthenticationException;
|
||||||
import org.apache.hadoop.security.authentication.util.KerberosUtil;
|
|
||||||
import org.apache.hadoop.yarn.api.records.NodeLabel;
|
import org.apache.hadoop.yarn.api.records.NodeLabel;
|
||||||
import org.apache.hadoop.yarn.conf.HAUtil;
|
import org.apache.hadoop.yarn.conf.HAUtil;
|
||||||
import org.apache.hadoop.yarn.conf.YarnConfiguration;
|
import org.apache.hadoop.yarn.conf.YarnConfiguration;
|
||||||
@ -39,7 +38,6 @@
|
|||||||
import org.ietf.jgss.GSSException;
|
import org.ietf.jgss.GSSException;
|
||||||
import org.ietf.jgss.GSSManager;
|
import org.ietf.jgss.GSSManager;
|
||||||
import org.ietf.jgss.GSSName;
|
import org.ietf.jgss.GSSName;
|
||||||
import org.ietf.jgss.Oid;
|
|
||||||
import org.slf4j.Logger;
|
import org.slf4j.Logger;
|
||||||
import org.slf4j.LoggerFactory;
|
import org.slf4j.LoggerFactory;
|
||||||
|
|
||||||
@ -222,8 +220,6 @@ public static String generateToken(String server) throws IOException,
|
|||||||
@Override
|
@Override
|
||||||
public String run() throws Exception {
|
public String run() throws Exception {
|
||||||
try {
|
try {
|
||||||
// This Oid for Kerberos GSS-API mechanism.
|
|
||||||
Oid mechOid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID");
|
|
||||||
GSSManager manager = GSSManager.getInstance();
|
GSSManager manager = GSSManager.getInstance();
|
||||||
// GSS name for server
|
// GSS name for server
|
||||||
GSSName serverName = manager.createName("HTTP@" + server,
|
GSSName serverName = manager.createName("HTTP@" + server,
|
||||||
@ -231,8 +227,9 @@ public String run() throws Exception {
|
|||||||
// Create a GSSContext for authentication with the service.
|
// Create a GSSContext for authentication with the service.
|
||||||
// We're passing client credentials as null since we want them to
|
// We're passing client credentials as null since we want them to
|
||||||
// be read from the Subject.
|
// be read from the Subject.
|
||||||
|
// We're passing Oid as null to use the default.
|
||||||
GSSContext gssContext = manager.createContext(
|
GSSContext gssContext = manager.createContext(
|
||||||
serverName.canonicalize(mechOid), mechOid, null,
|
serverName.canonicalize(null), null, null,
|
||||||
GSSContext.DEFAULT_LIFETIME);
|
GSSContext.DEFAULT_LIFETIME);
|
||||||
gssContext.requestMutualAuth(true);
|
gssContext.requestMutualAuth(true);
|
||||||
gssContext.requestCredDeleg(true);
|
gssContext.requestCredDeleg(true);
|
||||||
@ -245,8 +242,7 @@ public String run() throws Exception {
|
|||||||
LOG.debug("Got valid challenge for host {}", serverName);
|
LOG.debug("Got valid challenge for host {}", serverName);
|
||||||
return new String(BASE_64_CODEC.encode(outToken),
|
return new String(BASE_64_CODEC.encode(outToken),
|
||||||
StandardCharsets.US_ASCII);
|
StandardCharsets.US_ASCII);
|
||||||
} catch (GSSException | IllegalAccessException
|
} catch (GSSException e) {
|
||||||
| NoSuchFieldException | ClassNotFoundException e) {
|
|
||||||
LOG.error("Error: ", e);
|
LOG.error("Error: ", e);
|
||||||
throw new AuthenticationException(e);
|
throw new AuthenticationException(e);
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user