Home Explore Help
Sign In
apache
/
hadoop
mirror of https://github.com/apache/hadoop.git
2
0
Fork 1
Files Issues 0 Wiki
Browse Source

commit 652fe6f04263a70084a7595c3af47d4f610c5569
Author: Boris Shkolnik <borya@yahoo-inc.com>
Date: Fri May 14 17:35:40 2010 -0700

HADOOP:6706 from https://issues.apache.org/jira/secure/attachment/12444549/HADOOP-6706-BP20-fix3.patch

+++ b/YAHOO-CHANGES.txt
+ HADOOP-6706.FIX. Relogin behavior for RPC clients could be improved
+ (boryas)
+


git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-0.20-security-patches@1077465 13f79535-47bb-0310-9956-ffa450edef68

Owen O'Malley 14 years ago
parent
83918a903d
commit
d942efc5bd
2 changed files with 17 additions and 3 deletions
Split View Show Diff Stats
  1. 6 2
      src/core/org/apache/hadoop/ipc/Client.java
  2. 11 1
      src/core/org/apache/hadoop/security/UserGroupInformation.java

+ 6 - 2
src/core/org/apache/hadoop/ipc/Client.java
View File 

@@ -358,9 +358,13 @@ public class Client {
 
         UserGroupInformation.getCurrentUser();
 
       UserGroupInformation realUser = currentUser.getRealUser();
 
       if (authMethod == AuthMethod.KERBEROS && 
+          loginUser != null &&
 
+          //Make sure user logged in using Kerberos either keytab or TGT
 
+          loginUser.hasKerberosCredentials() && 
           // relogin only in case it is the login user (e.g. JT)
 
-          // or superuser (like oozie).
 
-          (currentUser.equals(loginUser) || loginUser.equals(realUser))) {
 
+          // or superuser (like oozie). 
+          (loginUser.equals(currentUser) || loginUser.equals(realUser))
 
+          ) {
 
           return true;
 
       }
 
       return false;

+ 11 - 1
src/core/org/apache/hadoop/security/UserGroupInformation.java
View File 

@@ -269,6 +269,7 @@ public class UserGroupInformation {
 
   // All non-static fields must be read-only caches that come from the subject.
 
   private final User user;
 
   private final boolean isKeytab;
 
+  private final boolean isKrbTkt;
 
   
   private static final String OS_LOGIN_MODULE_NAME;
 
   private static final Class<? extends Principal> OS_PRINCIPAL_CLASS;
 
@@ -410,6 +411,15 @@ public class UserGroupInformation {
 
     this.subject = subject;
 
     this.user = subject.getPrincipals(User.class).iterator().next();
 
     this.isKeytab = !subject.getPrivateCredentials(KerberosKey.class).isEmpty();
 
+    this.isKrbTkt = !subject.getPrivateCredentials(KerberosTicket.class).isEmpty();
 
+  }
 
+  
+  /**
 
+   * checks if logged in using kerberos
 
+   * @return true if the subject logged via keytab or has a Kerberos TGT
 
+   */
 
+  public boolean hasKerberosCredentials() {
 
+    return isKeytab || isKrbTkt;
 
   }
 
 
   /**
 
@@ -598,7 +608,7 @@ public class UserGroupInformation {
 
   throws IOException {
 
     if (!isSecurityEnabled() || 
         user.getAuthenticationMethod() != AuthenticationMethod.KERBEROS ||
 
-        isKeytab)
 
+        !isKrbTkt)
 
       return;
 
     LoginContext login = getLogin();
 
     if (login == null) {