merge -r1303016:1303017 from branch-1 onto branch-1.0. Fixes HADOOP-6941.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-1.0@1303018 13f79535-47bb-0310-9956-ffa450edef68

CHANGES.txt

@@ -5,6 +5,9 @@ Hadoop Change Log
     This was done to handle the build of Hadoop with IBM's JDK. (Stephen Watt, 
     Guillermo Cabrera and ddas) 
 
+    HADOOP-6941. Adds support for building Hadoop with IBM's JDK
+    (Stephen Watt, Eli and ddas)
+
 Release 1.0.2 - 2012.03.18
 
   NEW FEATURES

src/core/org/apache/hadoop/security/KerberosName.java

@@ -25,9 +25,7 @@ import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
 import org.apache.hadoop.conf.Configuration;
-
-import sun.security.krb5.Config;
-import sun.security.krb5.KrbException;
+import org.apache.hadoop.security.authentication.util.KerberosUtil;
 
 /**
  * This class implements parsing and handling of Kerberos principal names. In 
@@ -73,13 +71,11 @@ public class KerberosName {
   private static List<Rule> rules;
 
   private static String defaultRealm;
-  private static Config kerbConf;
   
   static {
     try {
-      kerbConf = Config.getInstance();
-      defaultRealm = kerbConf.getDefaultRealm();
-    } catch (KrbException ke) {
+      defaultRealm = KerberosUtil.getDefaultRealm();
+    } catch (Exception ke) {
       if(UserGroupInformation.isSecurityEnabled())
         throw new IllegalArgumentException("Can't get Kerberos configuration",ke);
       else 

src/core/org/apache/hadoop/security/SecurityUtil.java

@@ -17,6 +17,10 @@
 package org.apache.hadoop.security;
 
 import java.io.IOException;
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Field;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
 import java.net.InetAddress;
 import java.net.InetSocketAddress;
 import java.net.URI;
@@ -42,9 +46,6 @@ import org.apache.hadoop.security.token.Token;
 //this will need to be replaced someday when there is a suitable replacement
 import sun.net.dns.ResolverConfiguration;
 import sun.net.util.IPAddressUtil;
-import sun.security.jgss.krb5.Krb5Util;
-import sun.security.krb5.Credentials;
-import sun.security.krb5.PrincipalName;
 
 public class SecurityUtil {
   public static final Log LOG = LogFactory.getLog(SecurityUtil.class);
@@ -128,12 +129,41 @@ public class SecurityUtil {
     String serviceName = "host/" + remoteHost.getHost();
     if (LOG.isDebugEnabled())
       LOG.debug("Fetching service ticket for host at: " + serviceName);
-    Credentials serviceCred = null;
+    Object serviceCred = null;
+    Method credsToTicketMeth;
+    Class<?> krb5utilClass;
     try {
-      PrincipalName principal = new PrincipalName(serviceName,
-          PrincipalName.KRB_NT_SRV_HST);
-      serviceCred = Credentials.acquireServiceCreds(principal
-          .toString(), Krb5Util.ticketToCreds(getTgtFromSubject()));
+      Class<?> principalClass;
+      Class<?> credentialsClass;
+      
+      if (System.getProperty("java.vendor").contains("IBM")) {
+        principalClass = Class.forName("com.ibm.security.krb5.PrincipalName");
+        
+        credentialsClass = Class.forName("com.ibm.security.krb5.Credentials");
+        krb5utilClass = Class.forName("com.ibm.security.jgss.mech.krb5");
+      } else {
+        principalClass = Class.forName("sun.security.krb5.PrincipalName");
+        credentialsClass = Class.forName("sun.security.krb5.Credentials");
+        krb5utilClass = Class.forName("sun.security.jgss.krb5");
+      }
+      @SuppressWarnings("rawtypes")
+      Constructor principalConstructor = principalClass.getConstructor(String.class, 
+          int.class);
+      Field KRB_NT_SRV_HST = principalClass.getDeclaredField("KRB_NT_SRV_HST");
+      Method acquireServiceCredsMeth = 
+          credentialsClass.getDeclaredMethod("acquireServiceCreds", 
+              String.class, credentialsClass);
+      Method ticketToCredsMeth = krb5utilClass.getDeclaredMethod("ticketToCreds", 
+          KerberosTicket.class);
+      credsToTicketMeth = krb5utilClass.getDeclaredMethod("credsToTicket", 
+          credentialsClass);
+      
+      Object principal = principalConstructor.newInstance(serviceName,
+          KRB_NT_SRV_HST.get(principalClass));
+      
+      serviceCred = acquireServiceCredsMeth.invoke(credentialsClass, 
+          principal.toString(), 
+          ticketToCredsMeth.invoke(krb5utilClass, getTgtFromSubject()));
     } catch (Exception e) {
       throw new IOException("Can't get service ticket for: "
           + serviceName, e);
@@ -141,8 +171,13 @@ public class SecurityUtil {
     if (serviceCred == null) {
       throw new IOException("Can't get service ticket for " + serviceName);
     }
-    Subject.getSubject(AccessController.getContext()).getPrivateCredentials()
-        .add(Krb5Util.credsToTicket(serviceCred));
+    try {
+      Subject.getSubject(AccessController.getContext()).getPrivateCredentials()
+          .add(credsToTicketMeth.invoke(krb5utilClass, serviceCred));
+    } catch (Exception e) {
+      throw new IOException("Can't get service ticket for: "
+          + serviceName, e);
+    }
   }
   
   /**

src/core/org/apache/hadoop/security/UserGroupInformation.java

@@ -51,14 +51,11 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.security.authentication.util.KerberosUtil;
 import org.apache.hadoop.security.token.Token;
 import org.apache.hadoop.security.token.TokenIdentifier;
 import org.apache.hadoop.util.Shell;
 
-import com.sun.security.auth.NTUserPrincipal;
-import com.sun.security.auth.UnixPrincipal;
-import com.sun.security.auth.module.Krb5LoginModule;
-
 /**
  * User and group information for Hadoop.
  * This class wraps around a JAAS Subject and provides methods to determine the
@@ -253,22 +250,53 @@ public class UserGroupInformation {
   private final boolean isKeytab;
   private final boolean isKrbTkt;
   
-  private static final String OS_LOGIN_MODULE_NAME;
-  private static final Class<? extends Principal> OS_PRINCIPAL_CLASS;
+  private static String OS_LOGIN_MODULE_NAME;
+  private static Class<? extends Principal> OS_PRINCIPAL_CLASS;
   private static final boolean windows = 
                            System.getProperty("os.name").startsWith("Windows");
   private static Thread renewerThread = null;
   private static volatile boolean shouldRunRenewerThread = true;
   
-  static {
-    if (windows) {
-      OS_LOGIN_MODULE_NAME = "com.sun.security.auth.module.NTLoginModule";
-      OS_PRINCIPAL_CLASS = NTUserPrincipal.class;
+  /* Return the OS login module class name */
+  private static String getOSLoginModuleName() {
+    if (System.getProperty("java.vendor").contains("IBM")) {
+      return windows ? "com.ibm.security.auth.module.NTLoginModule"
+       : "com.ibm.security.auth.module.LinuxLoginModule";    
     } else {
-      OS_LOGIN_MODULE_NAME = "com.sun.security.auth.module.UnixLoginModule";
-      OS_PRINCIPAL_CLASS = UnixPrincipal.class;
+      return windows ? "com.sun.security.auth.module.NTLoginModule"
+        : "com.sun.security.auth.module.UnixLoginModule";
     }
   }
+
+  /* Return the OS principal class */
+  @SuppressWarnings("unchecked")
+  private static Class<? extends Principal> getOsPrincipalClass() {
+    ClassLoader cl = ClassLoader.getSystemClassLoader();
+    try {
+      if (System.getProperty("java.vendor").contains("IBM")) {
+        if (windows) {
+          return (Class<? extends Principal>)
+            cl.loadClass("com.ibm.security.auth.UsernamePrincipal");
+        } else {
+          return (Class<? extends Principal>)
+            (System.getProperty("os.arch").contains("64")
+             ? cl.loadClass("com.ibm.security.auth.UsernamePrincipal")
+             : cl.loadClass("com.ibm.security.auth.LinuxPrincipal"));
+        }
+      } else {
+        return (Class<? extends Principal>) (windows
+           ? cl.loadClass("com.sun.security.auth.NTUserPrincipal")
+           : cl.loadClass("com.sun.security.auth.UnixPrincipal"));
+      }
+    } catch (ClassNotFoundException e) {
+      LOG.error("Unable to find JAAS classes:" + e.getMessage());
+    }
+    return null;
+  }
+  static {
+    OS_LOGIN_MODULE_NAME = getOSLoginModuleName();
+    OS_PRINCIPAL_CLASS = getOsPrincipalClass();
+  }
   
   private static class RealUser implements Principal {
     private final UserGroupInformation realUser;
@@ -339,7 +367,7 @@ public class UserGroupInformation {
       }
     }
     private static final AppConfigurationEntry USER_KERBEROS_LOGIN =
-      new AppConfigurationEntry(Krb5LoginModule.class.getName(),
+      new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(),
                                 LoginModuleControlFlag.OPTIONAL,
                                 USER_KERBEROS_OPTIONS);
     private static final Map<String,String> KEYTAB_KERBEROS_OPTIONS = 
@@ -350,7 +378,7 @@ public class UserGroupInformation {
       KEYTAB_KERBEROS_OPTIONS.put("storeKey", "true");
     }
     private static final AppConfigurationEntry KEYTAB_KERBEROS_LOGIN =
-      new AppConfigurationEntry(Krb5LoginModule.class.getName(),
+      new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(),
                                 LoginModuleControlFlag.REQUIRED,
                                 KEYTAB_KERBEROS_OPTIONS);
     

src/core/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java

@@ -13,12 +13,12 @@
  */
 package org.apache.hadoop.security.authentication.client;
 
-import com.sun.security.auth.module.Krb5LoginModule;
 import org.apache.commons.codec.binary.Base64;
+import org.apache.hadoop.security.authentication.util.KerberosUtil;
 import org.ietf.jgss.GSSContext;
 import org.ietf.jgss.GSSManager;
 import org.ietf.jgss.GSSName;
-import sun.security.jgss.GSSUtil;
+import org.ietf.jgss.Oid;
 
 import javax.security.auth.Subject;
 import javax.security.auth.login.AppConfigurationEntry;
@@ -26,6 +26,7 @@ import javax.security.auth.login.Configuration;
 import javax.security.auth.login.LoginContext;
 import javax.security.auth.login.LoginException;
 import java.io.IOException;
+import java.lang.reflect.Field;
 import java.net.HttpURLConnection;
 import java.net.URL;
 import java.security.AccessControlContext;
@@ -97,7 +98,7 @@ public class KerberosAuthenticator implements Authenticator {
     }
 
     private static final AppConfigurationEntry USER_KERBEROS_LOGIN =
-      new AppConfigurationEntry(Krb5LoginModule.class.getName(),
+      new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(),
                                 AppConfigurationEntry.LoginModuleControlFlag.OPTIONAL,
                                 USER_KERBEROS_OPTIONS);
 
@@ -109,7 +110,7 @@ public class KerberosAuthenticator implements Authenticator {
       return USER_KERBEROS_CONF;
     }
   }
-
+  
   private URL url;
   private HttpURLConnection conn;
   private Base64 base64;
@@ -195,9 +196,12 @@ public class KerberosAuthenticator implements Authenticator {
           try {
             GSSManager gssManager = GSSManager.getInstance();
             String servicePrincipal = "HTTP/" + KerberosAuthenticator.this.url.getHost();
+            
             GSSName serviceName = gssManager.createName(servicePrincipal,
-                                                        GSSUtil.NT_GSS_KRB5_PRINCIPAL);
-            gssContext = gssManager.createContext(serviceName, GSSUtil.GSS_KRB5_MECH_OID, null,
+                                                        GSSName.NT_HOSTBASED_SERVICE);
+            Oid oid = KerberosUtil.getOidClassInstance(servicePrincipal, 
+                gssManager);
+            gssContext = gssManager.createContext(serviceName, oid, null,
                                                   GSSContext.DEFAULT_LIFETIME);
             gssContext.requestCredDeleg(true);
             gssContext.requestMutualAuth(true);

src/core/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java

@@ -15,9 +15,9 @@ package org.apache.hadoop.security.authentication.server;
 
 import org.apache.hadoop.security.authentication.client.AuthenticationException;
 import org.apache.hadoop.security.authentication.client.KerberosAuthenticator;
-import com.sun.security.auth.module.Krb5LoginModule;
 import org.apache.commons.codec.binary.Base64;
 import org.apache.hadoop.security.KerberosName;
+import org.apache.hadoop.security.authentication.util.KerberosUtil;
 import org.ietf.jgss.GSSContext;
 import org.ietf.jgss.GSSCredential;
 import org.ietf.jgss.GSSManager;
@@ -93,7 +93,7 @@ public class KerberosAuthenticationHandler implements AuthenticationHandler {
       }
 
       return new AppConfigurationEntry[]{
-        new AppConfigurationEntry(Krb5LoginModule.class.getName(),
+          new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(),
                                   AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
                                   options),};
     }

src/core/org/apache/hadoop/security/authentication/util/KerberosUtil.java

@@ -0,0 +1,70 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.security.authentication.util;
+
+import java.lang.reflect.Field;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.GSSManager;
+import org.ietf.jgss.Oid;
+
+public class KerberosUtil {
+
+  /* Return the Kerberos login module name */
+  public static String getKrb5LoginModuleName() {
+    return System.getProperty("java.vendor").contains("IBM")
+      ? "com.ibm.security.auth.module.Krb5LoginModule"
+      : "com.sun.security.auth.module.Krb5LoginModule";
+  }
+  
+  public static Oid getOidClassInstance(String servicePrincipal,
+      GSSManager gssManager) 
+      throws ClassNotFoundException, GSSException, NoSuchFieldException,
+      IllegalAccessException {
+    Class<?> oidClass;
+    if (System.getProperty("java.vendor").contains("IBM")) {
+      oidClass = Class.forName("com.ibm.security.jgss.GSSUtil");
+    } else {
+      oidClass = Class.forName("sun.security.jgss.GSSUtil");
+    }
+    Field oidField = oidClass.getDeclaredField("GSS_KRB5_MECH_OID");
+    return (Oid)oidField.get(oidClass);
+  }
+
+  public static String getDefaultRealm() 
+      throws ClassNotFoundException, NoSuchMethodException, 
+      IllegalArgumentException, IllegalAccessException, 
+      InvocationTargetException {
+    Object kerbConf;
+    Class<?> classRef;
+    Method getInstanceMethod;
+    Method getDefaultRealmMethod;
+    if (System.getProperty("java.vendor").contains("IBM")) {
+      classRef = Class.forName("com.ibm.security.krb5.internal.Config");
+    } else {
+      classRef = Class.forName("sun.security.krb5.Config");
+    }
+    getInstanceMethod = classRef.getMethod("getInstance", new Class[0]);
+    kerbConf = getInstanceMethod.invoke(classRef, new Object[0]);
+    getDefaultRealmMethod = classRef.getDeclaredMethod("getDefaultRealm",
+         new Class[0]);
+    return (String)getDefaultRealmMethod.invoke(kerbConf, new Object[0]);
+  }
+}

src/test/org/apache/hadoop/security/authentication/KerberosTestUtils.java

@@ -13,13 +13,15 @@
  */
 package org.apache.hadoop.security.authentication;
 
-import com.sun.security.auth.module.Krb5LoginModule;
 
 import javax.security.auth.Subject;
 import javax.security.auth.kerberos.KerberosPrincipal;
 import javax.security.auth.login.AppConfigurationEntry;
 import javax.security.auth.login.Configuration;
 import javax.security.auth.login.LoginContext;
+
+import org.apache.hadoop.security.authentication.util.KerberosUtil;
+
 import java.io.File;
 import java.security.Principal;
 import java.security.PrivilegedActionException;
@@ -88,7 +90,7 @@ public class KerberosTestUtils {
       options.put("debug", "true");
 
       return new AppConfigurationEntry[]{
-        new AppConfigurationEntry(Krb5LoginModule.class.getName(),
+        new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(),
                                   AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
                                   options),};
     }

src/test/org/apache/hadoop/security/authentication/server/TestKerberosAuthenticationHandler.java

@@ -18,15 +18,17 @@ import org.apache.hadoop.security.authentication.client.AuthenticationException;
 import org.apache.hadoop.security.authentication.client.KerberosAuthenticator;
 import junit.framework.TestCase;
 import org.apache.commons.codec.binary.Base64;
+import org.apache.hadoop.security.authentication.util.KerberosUtil;
 import org.ietf.jgss.GSSContext;
 import org.ietf.jgss.GSSManager;
 import org.ietf.jgss.GSSName;
 import org.junit.Ignore;
 import org.mockito.Mockito;
-import sun.security.jgss.GSSUtil;
+import org.ietf.jgss.Oid;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import java.lang.reflect.Field;
 import java.util.Properties;
 import java.util.concurrent.Callable;
 
@@ -116,9 +118,12 @@ public class TestKerberosAuthenticationHandler extends TestCase {
         GSSContext gssContext = null;
         try {
           String servicePrincipal = KerberosTestUtils.getServerPrincipal();
-          GSSName serviceName = gssManager.createName(servicePrincipal, GSSUtil.NT_GSS_KRB5_PRINCIPAL);
-          gssContext = gssManager.createContext(serviceName, GSSUtil.GSS_KRB5_MECH_OID, null,
-                                                GSSContext.DEFAULT_LIFETIME);
+          GSSName serviceName = gssManager.createName(servicePrincipal,
+              GSSName.NT_HOSTBASED_SERVICE);
+          Oid oid = KerberosUtil.getOidClassInstance(servicePrincipal, 
+              gssManager);
+          gssContext = gssManager.createContext(serviceName, oid, null,
+                                                  GSSContext.DEFAULT_LIFETIME);
           gssContext.requestCredDeleg(true);
           gssContext.requestMutualAuth(true);