storm-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bo...@apache.org
Subject [04/50] storm git commit: STORM-427: AutoTGT and HBase can expose JVM kerberos bug.
Date Thu, 13 Nov 2014 19:36:59 GMT
STORM-427: AutoTGT and HBase can expose JVM kerberos bug.


Project: http://git-wip-us.apache.org/repos/asf/storm/repo
Commit: http://git-wip-us.apache.org/repos/asf/storm/commit/ee5bb179
Tree: http://git-wip-us.apache.org/repos/asf/storm/tree/ee5bb179
Diff: http://git-wip-us.apache.org/repos/asf/storm/diff/ee5bb179

Branch: refs/heads/master
Commit: ee5bb1792afc28155bd8cdf87e97ebf719c031d1
Parents: 559c883
Author: Robert (Bobby) Evans <evans@yahoo-inc.com>
Authored: Tue Jul 29 16:47:19 2014 -0500
Committer: Robert (Bobby) Evans <evans@yahoo-inc.com>
Committed: Tue Jul 29 16:47:19 2014 -0500

----------------------------------------------------------------------
 .../storm/security/auth/kerberos/AutoTGT.java   | 22 ++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/storm/blob/ee5bb179/storm-core/src/jvm/backtype/storm/security/auth/kerberos/AutoTGT.java
----------------------------------------------------------------------
diff --git a/storm-core/src/jvm/backtype/storm/security/auth/kerberos/AutoTGT.java b/storm-core/src/jvm/backtype/storm/security/auth/kerberos/AutoTGT.java
index 52bf540..1e07daa 100644
--- a/storm-core/src/jvm/backtype/storm/security/auth/kerberos/AutoTGT.java
+++ b/storm-core/src/jvm/backtype/storm/security/auth/kerberos/AutoTGT.java
@@ -33,12 +33,14 @@ import java.lang.reflect.Method;
 import java.lang.reflect.Constructor;
 import java.security.Principal;
 import java.util.concurrent.atomic.AtomicReference;
+import java.util.Iterator;
 
 import javax.security.auth.kerberos.KerberosTicket;
 import javax.security.auth.kerberos.KerberosPrincipal;
 import javax.security.auth.login.Configuration;
 import javax.security.auth.login.LoginException;
 import javax.security.auth.login.LoginContext;
+import javax.security.auth.DestroyFailedException;
 import javax.security.auth.RefreshFailedException;
 import javax.security.auth.Subject;
 import javax.xml.bind.DatatypeConverter;
@@ -152,10 +154,22 @@ public class AutoTGT implements IAutoCredentials, ICredentialsRenewer
{
     private void populateSubjectWithTGT(Subject subject, Map<String, String> credentials)
{
         KerberosTicket tgt = getTGT(credentials);
         if (tgt != null) {
-            KerberosTicket oldTGT = getTGT(subject);
-            subject.getPrivateCredentials().add(tgt);
-            if (oldTGT != null && !oldTGT.equals(tgt)) {
-                subject.getPrivateCredentials().remove(oldTGT);
+            Set<Object> creds = subject.getPrivateCredentials();
+            synchronized(creds) {
+                Iterator<Object> iterator = creds.iterator();
+                while (iterator.hasNext()) {
+                    Object o = iterator.next();
+                    if (o instanceof KerberosTicket) {
+                        KerberosTicket t = (KerberosTicket)o;
+                        iterator.remove();
+                        try {
+                            t.destroy();
+                        } catch (DestroyFailedException  e) {
+                            LOG.warn("Failed to destory ticket ", e);
+                        }
+                    }
+                }
+                creds.add(tgt);
             }
             subject.getPrincipals().add(tgt.getClient());
             kerbTicket.set(tgt);


Mime
View raw message