HADOOP-10342. Add a new method to UGI to use a Kerberos login subject to

build a new UGI. (Larry McCay via omalley)


git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1568525 13f79535-47bb-0310-9956-ffa450edef68

hadoop-common-project/hadoop-common/CHANGES.txt

@@ -118,6 +118,9 @@ Trunk (Unreleased)
 
     HADOOP-10325. Improve jenkins javadoc warnings from test-patch.sh (cmccabe)
 
+    HADOOP-10342. Add a new method to UGI to use a Kerberos login subject to
+    build a new UGI. (Larry McCay via omalley)
+
   BUG FIXES
 
     HADOOP-9451. Fault single-layer config if node group topology is enabled.

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java

@@ -649,7 +649,7 @@ public class Client {
               // try re-login
               if (UserGroupInformation.isLoginKeytabBased()) {
                 UserGroupInformation.getLoginUser().reloginFromKeytab();
-              } else {
+              } else if (UserGroupInformation.isLoginTicketBased()) {
                 UserGroupInformation.getLoginUser().reloginFromTicketCache();
               }
               // have granularity of milliseconds

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java

@@ -702,6 +702,35 @@ public class UserGroupInformation {
     }
   }
 
+  /**
+   * Create a UserGroupInformation from a Subject with Kerberos principal.
+   *
+   * @param user                The KerberosPrincipal to use in UGI
+   *
+   * @throws IOException        if the kerberos login fails
+   */
+  public static UserGroupInformation getUGIFromSubject(Subject subject)
+      throws IOException {
+    if (subject == null) {
+      throw new IOException("Subject must not be null");
+    }
+
+    if (subject.getPrincipals(KerberosPrincipal.class).isEmpty()) {
+      throw new IOException("Provided Subject must contain a KerberosPrincipal");
+    }
+
+    KerberosPrincipal principal =
+        subject.getPrincipals(KerberosPrincipal.class).iterator().next();
+
+    User ugiUser = new User(principal.getName(),
+        AuthenticationMethod.KERBEROS, null);
+    subject.getPrincipals().add(ugiUser);
+    UserGroupInformation ugi = new UserGroupInformation(subject);
+    ugi.setLogin(null);
+    ugi.setAuthenticationMethod(AuthenticationMethod.KERBEROS);
+    return ugi;
+  }
+
   /**
    * Get the currently logged in user.
    * @return the logged in user
@@ -1101,6 +1130,14 @@ public class UserGroupInformation {
     return getLoginUser().isKeytab;
   }
 
+  /**
+   * Did the login happen via ticket cache
+   * @return true or false
+   */
+  public static boolean isLoginTicketBased()  throws IOException {
+    return getLoginUser().isKrbTkt;
+  }
+
   /**
    * Create a user from a login name. It is intended to be used for remote
    * users in RPC, since it won't have any credentials.
@@ -1619,5 +1656,4 @@ public class UserGroupInformation {
       System.out.println("Keytab " + loginUser.isKeytab);
     }
   }
-
 }

hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUGIWithSecurityOn.java

@@ -17,8 +17,14 @@
 package org.apache.hadoop.security;
 
 import java.io.IOException;
+import java.security.PrivilegedAction;
+import java.util.Set;
+
+import javax.security.auth.kerberos.KerberosPrincipal;
 
 import junit.framework.Assert;
+import static org.junit.Assert.*;
+
 
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
@@ -72,4 +78,40 @@ public class TestUGIWithSecurityOn {
       ex.printStackTrace();
     }
   }
+
+  @Test
+  public void testGetUGIFromKerberosSubject() throws IOException {
+    String user1keyTabFilepath = System.getProperty("kdc.resource.dir")
+        + "/keytabs/user1.keytab";
+
+    UserGroupInformation ugi = UserGroupInformation
+        .loginUserFromKeytabAndReturnUGI("user1@EXAMPLE.COM",
+            user1keyTabFilepath);
+    Set<KerberosPrincipal> principals = ugi.getSubject().getPrincipals(
+        KerberosPrincipal.class);
+    if (principals.isEmpty()) {
+      Assert.fail("There should be a kerberos principal in the subject.");
+    }
+    else {
+      UserGroupInformation ugi2 = UserGroupInformation.getUGIFromSubject(
+          ugi.getSubject());
+      if (ugi2 != null) {
+        ugi2.doAs(new PrivilegedAction<Object>() {
+
+          @Override
+          public Object run() {
+            try {
+              UserGroupInformation ugi3 = UserGroupInformation.getCurrentUser();
+              String doAsUserName = ugi3.getUserName();
+              assertEquals(doAsUserName, "user1@EXAMPLE.COM");
+              System.out.println("DO AS USERNAME: " + doAsUserName);
+            } catch (IOException e) {
+              e.printStackTrace();
+            }
+            return null;
+          }
+        });
+      }
+    }
+  }
 }

hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java

@@ -28,6 +28,7 @@ import org.apache.hadoop.util.Shell;
 import org.junit.*;
 
 import javax.security.auth.Subject;
+import javax.security.auth.kerberos.KerberosPrincipal;
 import javax.security.auth.login.AppConfigurationEntry;
 import javax.security.auth.login.LoginContext;
 import java.io.BufferedReader;
@@ -768,6 +769,16 @@ public class TestUserGroupInformation {
       });
   }
 
+  @Test (timeout = 30000)
+  public void testGetUGIFromSubject() throws Exception {
+    KerberosPrincipal p = new KerberosPrincipal("guest");
+    Subject subject = new Subject();
+    subject.getPrincipals().add(p);
+    UserGroupInformation ugi = UserGroupInformation.getUGIFromSubject(subject);
+    assertNotNull(ugi);
+    assertEquals("guest@DEFAULT.REALM", ugi.getUserName());
+  }
+
   /** Test hasSufficientTimeElapsed method */
   @Test (timeout = 30000)
   public void testHasSufficientTimeElapsed() throws Exception {