storm-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kabh...@apache.org
Subject [1/3] storm git commit: [STORM-2563] Remove the workaround to handle missing UGI.loginUserFromSubject
Date Thu, 22 Jun 2017 06:44:53 GMT
Repository: storm
Updated Branches:
  refs/heads/master 63e20784a -> 980c65573


[STORM-2563] Remove the workaround to handle missing UGI.loginUserFromSubject

https://github.com/apache/storm/blob/master/storm-client/src/jvm/org/apache/storm/security/auth/kerberos/AutoTGT.java#L225

The "userCons.setAccessible(true)" invokes constructor of a package private class bypassing
the Java access control checks
and raising red flags in our internal security scans.

The "loginUserFromSubject(Subject subject)" has been added to UGI (https://issues.apache.org/jira/browse/HADOOP-10164)
and available since Hadoop version 2.3 released over three years ago (http://hadoop.apache.org/releases.html).

I think the workaround is no longer required since the case will not happen when using hadoop-common
versions >= 2.3


Project: http://git-wip-us.apache.org/repos/asf/storm/repo
Commit: http://git-wip-us.apache.org/repos/asf/storm/commit/2fac9787
Tree: http://git-wip-us.apache.org/repos/asf/storm/tree/2fac9787
Diff: http://git-wip-us.apache.org/repos/asf/storm/diff/2fac9787

Branch: refs/heads/master
Commit: 2fac9787c711ee30145c4275547629394df1c67b
Parents: 820195b
Author: Arun Mahadevan <arunm@apache.org>
Authored: Wed Jun 21 10:11:36 2017 +0530
Committer: Arun Mahadevan <arunm@apache.org>
Committed: Wed Jun 21 10:11:36 2017 +0530

----------------------------------------------------------------------
 .../storm/security/auth/kerberos/AutoTGT.java   | 40 +-------------------
 1 file changed, 2 insertions(+), 38 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/storm/blob/2fac9787/storm-client/src/jvm/org/apache/storm/security/auth/kerberos/AutoTGT.java
----------------------------------------------------------------------
diff --git a/storm-client/src/jvm/org/apache/storm/security/auth/kerberos/AutoTGT.java b/storm-client/src/jvm/org/apache/storm/security/auth/kerberos/AutoTGT.java
index 6d8057b..5c9fa75 100644
--- a/storm-client/src/jvm/org/apache/storm/security/auth/kerberos/AutoTGT.java
+++ b/storm-client/src/jvm/org/apache/storm/security/auth/kerberos/AutoTGT.java
@@ -188,44 +188,8 @@ public class AutoTGT implements IAutoCredentials, ICredentialsRenewer
{
                   "in your jar");
                 return;
             }
- 
-            try {
-                Method login = ugi.getMethod("loginUserFromSubject", Subject.class);
-                login.invoke(null, subject);
-            } catch (NoSuchMethodException me) {
-                //The version of Hadoop does not have the needed client changes.
-                // So don't look now, but do something really ugly to work around it.
-                // This is because we are reaching into the hidden bits of Hadoop security,
and it works for now, but may stop at any point in time.
-
-                //We are just trying to do the following
-                // Configuration conf = new Configuration();
-                // HadoopKerberosName.setConfiguration(conf);
-                // subject.getPrincipals().add(new User(tgt.getClient().toString(), AuthenticationMethod.KERBEROS,
null));
-                String name = getTGT(subject).getClient().toString();
-
-                LOG.warn("The Hadoop client does not have loginUserFromSubject, Trying to
hack around it. This may not work...");
-                Class<?> confClass = Class.forName("org.apache.hadoop.conf.Configuration");
-                Constructor confCons = confClass.getConstructor();
-                Object conf = confCons.newInstance();
-                Class<?> hknClass = Class.forName("org.apache.hadoop.security.HadoopKerberosName");
-                Method hknSetConf = hknClass.getMethod("setConfiguration",confClass);
-                hknSetConf.invoke(null, conf);
-
-                Class<?> authMethodClass = Class.forName("org.apache.hadoop.security.UserGroupInformation$AuthenticationMethod");
-                Object kerbAuthMethod = null;
-                for (Object authMethod : authMethodClass.getEnumConstants()) {
-                    if ("KERBEROS".equals(authMethod.toString())) {
-                        kerbAuthMethod = authMethod;
-                        break;
-                    }
-                }
-
-                Class<?> userClass = Class.forName("org.apache.hadoop.security.User");
-                Constructor userCons = userClass.getConstructor(String.class, authMethodClass,
LoginContext.class);
-                userCons.setAccessible(true);
-                Object user = userCons.newInstance(name, kerbAuthMethod, null);
-                subject.getPrincipals().add((Principal)user);
-            }
+            Method login = ugi.getMethod("loginUserFromSubject", Subject.class);
+            login.invoke(null, subject);
         } catch (Exception e) {
             LOG.warn("Something went wrong while trying to initialize Hadoop through reflection.
This version of hadoop may not be compatible.", e);
         }


Mime
View raw message