[jira] [Commented] (HADOOP-10786) Fix UGI#reloginFromKeytab on Java 8

Wed, 12 Aug 2015 14:16:26 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-10786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14694182#comment-14694182
 ] 

Chris Nauroth commented on HADOOP-10786:
----------------------------------------

[~schu] and [~Tobi], thank you for providing this patch.

I just wanted to share with everyone that even though this bug was reported 
against a JDK 8 code change, it appears the same change has entered the JDK 7 
code line.  I am seeing the same problem in the most recent OpenJDK build.  
With JDK 1.7.0_79, I could not repro the problem. After upgrading to JDK 
1.7.0_85, I could repro the problem. I don't know the exact minor version 
number within JDK 7 that first introduced the change, but it's somewhere in 
that range.

I also confirmed that this patch fixes the problem for JDK 1.7.0_85 too.  To 
verify, I ran the test without the corresponding fixes in 
{{UserGroupInformation}}.  I observed that the test failed on the assertion for 
{{ugi.isFromKeytab()}}.  Then, I applied the {{UserGroupInformation}} part of 
the patch, and the test passed.

Bottom line: If you want to run a secured Hadoop cluster on JDK 1.7.0_85 or 
later, then you must run Apache Hadoop 2.7.0 or later.

> Fix UGI#reloginFromKeytab on Java 8
> -----------------------------------
>
>                 Key: HADOOP-10786
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10786
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 2.6.0
>            Reporter: Tobi Vollebregt
>            Assignee: Stephen Chu
>             Fix For: 2.7.0
>
>         Attachments: HADOOP-10786.2.patch, HADOOP-10786.3.patch, 
> HADOOP-10786.3.patch, HADOOP-10786.4.patch, HADOOP-10786.5.patch, 
> HADOOP-10786.patch
>
>
> Krb5LoginModule changed subtly in java 8: in particular, if useKeyTab and 
> storeKey are specified, then only a KeyTab object is added to the Subject's 
> private credentials, whereas in java <= 7 both a KeyTab and some number of 
> KerberosKey objects were added.
> The UGI constructor checks whether or not a keytab was used to login by 
> looking if there are any KerberosKey objects in the Subject's private 
> credentials. If there are, then isKeyTab is set to true, and otherwise it's 
> set to false.
> Thus, in java 8 isKeyTab is always false given the current UGI 
> implementation, which makes UGI#reloginFromKeytab fail silently.
> Attached patch will check for a KeyTab object on the Subject, instead of a 
> KerberosKey object. This fixes relogins from kerberos keytabs on Oracle java 
> 8, and works on Oracle java 7 as well.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to