[
https://issues.apache.org/jira/browse/HADOOP-19574?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18016804#comment-18016804
]
ASF GitHub Bot commented on HADOOP-19574:
-----------------------------------------
pan3793 commented on code in PR #7892:
URL: https://github.com/apache/hadoop/pull/7892#discussion_r2307651230
##########
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/Daemon.java:
##########
@@ -18,16 +18,59 @@
package org.apache.hadoop.util;
+import java.security.PrivilegedAction;
import java.util.concurrent.ThreadFactory;
+import javax.security.auth.Subject;
+
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
+import org.apache.hadoop.security.authentication.util.SubjectUtil;
-/** A thread that has called {@link Thread#setDaemon(boolean) } with true.*/
+/** A thread that has called {@link Thread#setDaemon(boolean) } with true.
+ *
+ * The runnable code must either be specified in the runnable parameter or
+ * in the override work() method.
+ *
+ * The subject propagation is already added in either case.
+ *
+ * */
@InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"})
@InterfaceStability.Unstable
public class Daemon extends Thread {
+ Subject startSubject;
+
+ @Override
+ public final void start() {
+ startSubject = SubjectUtil.current();
+ super.start();
+ }
+
+ /**
+ * Override this instead of run()
+ */
+ public void work() {
+ throw new IllegalArgumentException("");
Review Comment:
have a meaningful message?
##########
hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/concurrent/TestSubjectPropagation.java:
##########
@@ -0,0 +1,125 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.util.concurrent;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+import java.util.concurrent.Callable;
+
+import javax.security.auth.Subject;
+
+import org.apache.hadoop.security.authentication.util.SubjectUtil;
+import org.apache.hadoop.util.Daemon;
+import org.junit.jupiter.api.Test;
+
+public class TestSubjectPropagation {
+
+ private Subject childSubject = null;
+
+ @Test
+ public void testWork() {
+ Subject parentSubject = new Subject();
+ childSubject = null;
+
+ SubjectUtil.callAs(parentSubject, new Callable<Void>() {
+ public Void call() throws InterruptedException {
+ HadoopThread t = new HadoopThread() {
+ public void work() {
+ childSubject = SubjectUtil.current();
+ }
+ };
+ t.start();
+ t.join(1000);
+ return (Void) null;
+ }
+ });
+
+ assertEquals(parentSubject, childSubject);
+ }
+
+ @Test
+ public void testRunnable() {
+ Subject parentSubject = new Subject();
+ childSubject = null;
+
+ SubjectUtil.callAs(parentSubject, new Callable<Void>() {
+ public Void call() throws InterruptedException {
+ Runnable r = new Runnable() {
+ @Override
+ public void run() {
+ childSubject = SubjectUtil.current();
+ }
+ };
+
+ HadoopThread t = new HadoopThread(r);
Review Comment:
Could you add another case that uses `Thread`? and it should have different
behaviors on different JDK versions.
##########
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/concurrent/HadoopThread.java:
##########
@@ -0,0 +1,105 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.util.concurrent;
+
+import java.security.PrivilegedAction;
+import javax.security.auth.Subject;
+
+import org.apache.hadoop.security.authentication.util.SubjectUtil;
+
+/**
+ * Helper class to restore Subject propagation behavior after the JEP411/JEP486
+ * changes
+ *
+ * Runnables can be specified normally, but the work() method has to be
+ * overridden instead of run() when subclassing.
+ */
+public class HadoopThread extends Thread {
+
+ Subject startSubject;
+ Runnable hadoopTarget;
+
+ public HadoopThread() {
+ super();
+ }
+
+ public HadoopThread(Runnable target) {
+ super();
+ this.hadoopTarget = target;
+ }
+
+ public HadoopThread(ThreadGroup group, Runnable target) {
+ // The target passed to Thread has no effect, we only pass it
+ // because there is no super(group) constructor.
+ super(group, target);
+ this.hadoopTarget = target;
+ }
+
+ public HadoopThread(Runnable target, String name) {
+ super(name);
+ this.hadoopTarget = target;
+ }
+
+ public HadoopThread(String name) {
+ super(name);
+ }
+
+ public HadoopThread(ThreadGroup group, String name) {
+ super(group, name);
+ }
+
+ public HadoopThread(ThreadGroup group, Runnable target, String name) {
+ super(group, name);
+ this.hadoopTarget = target;
+ }
+
+ @Override
+ public final void start() {
+ startSubject = SubjectUtil.current();
+ super.start();
+ }
+
+ /**
+ * Override this instead of run()
+ *
+ * It is really unfortunate that we have to introduce a new method and
cannot reuse run(),
+ * but since run() is designed to be overridden, I couldn't find any other
way to make this work.
+ *
+ */
+ public void work() {
+ throw new IllegalArgumentException("No Runnable was specified and work()
is not overriden");
+ }
+
+ @Override
+ public final void run() {
+ SubjectUtil.doAs(startSubject, new PrivilegedAction<Void>() {
Review Comment:
indention
##########
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/Daemon.java:
##########
@@ -18,16 +18,59 @@
package org.apache.hadoop.util;
+import java.security.PrivilegedAction;
import java.util.concurrent.ThreadFactory;
+import javax.security.auth.Subject;
+
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
+import org.apache.hadoop.security.authentication.util.SubjectUtil;
-/** A thread that has called {@link Thread#setDaemon(boolean) } with true.*/
+/** A thread that has called {@link Thread#setDaemon(boolean) } with true.
+ *
+ * The runnable code must either be specified in the runnable parameter or
+ * in the override work() method.
+ *
+ * The subject propagation is already added in either case.
+ *
+ * */
@InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"})
@InterfaceStability.Unstable
public class Daemon extends Thread {
+ Subject startSubject;
+
+ @Override
+ public final void start() {
Review Comment:
indention
##########
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/Daemon.java:
##########
@@ -18,16 +18,59 @@
package org.apache.hadoop.util;
+import java.security.PrivilegedAction;
import java.util.concurrent.ThreadFactory;
+import javax.security.auth.Subject;
+
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
+import org.apache.hadoop.security.authentication.util.SubjectUtil;
-/** A thread that has called {@link Thread#setDaemon(boolean) } with true.*/
+/** A thread that has called {@link Thread#setDaemon(boolean) } with true.
+ *
+ * The runnable code must either be specified in the runnable parameter or
+ * in the override work() method.
+ *
+ * The subject propagation is already added in either case.
+ *
+ * */
@InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"})
@InterfaceStability.Unstable
public class Daemon extends Thread {
+ Subject startSubject;
+
+ @Override
+ public final void start() {
+ startSubject = SubjectUtil.current();
+ super.start();
+ }
+
+ /**
+ * Override this instead of run()
+ */
+ public void work() {
+ throw new IllegalArgumentException("");
+ }
+
+ @Override
+ public final void run() {
+ SubjectUtil.doAs(startSubject, new PrivilegedAction<Void>() {
Review Comment:
nit: indention is incorrect here
> Restore Subject propagation semantics for Java 22+
> --------------------------------------------------
>
> Key: HADOOP-19574
> URL: https://issues.apache.org/jira/browse/HADOOP-19574
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: Istvan Toth
> Assignee: Istvan Toth
> Priority: Critical
> Labels: pull-request-available
>
> Java 22 breaks Subject propagation for new Threads (when SecurityManager is
> not enabled).
> Previously, the Subject set by Subject.doAs() / Subject.callAs()
> automatically propagated to any new Threads created (via new Thread(), not
> Executors).
> With JDK22, this is no longer the case, new Threads do NOT inherit the
> Subject.
> As Hadoop heavily relies on the original behavior, we somehow need to solve
> this problem.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
