Revert "HADOOP-10786. Fix UGI#reloginFromKeytab on Java 8. Contributed by Stephen Chu."

Moving this to 2.7 only.

hadoop-common-project/hadoop-common/CHANGES.txt

@@ -313,8 +313,6 @@ Release 2.6.0 - UNRELEASED
 
     HADOOP-11247. Fix a couple javac warnings in NFS. (Brandon Li via wheat9)
 
-    HADOOP-10786. Fix UGI#reloginFromKeytab on Java 8. (Stephen Chu via wheat9)
-
   BUG FIXES
 
     HADOOP-11182. GraphiteSink emits wrong timestamps (Sascha Coenen via raviprak)

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java

@@ -86,21 +86,9 @@ public class UserGroupInformation {
    * Percentage of the ticket window to use before we renew ticket.
    */
   private static final float TICKET_RENEW_WINDOW = 0.80f;
-  private static boolean shouldRenewImmediatelyForTests = false;
   static final String HADOOP_USER_NAME = "HADOOP_USER_NAME";
   static final String HADOOP_PROXY_USER = "HADOOP_PROXY_USER";
-
-  /**
-   * For the purposes of unit tests, we want to test login
-   * from keytab and don't want to wait until the renew
-   * window (controlled by TICKET_RENEW_WINDOW).
-   * @param immediate true if we should login without waiting for ticket window
-   */
-  @VisibleForTesting
-  static void setShouldRenewImmediatelyForTests(boolean immediate) {
-    shouldRenewImmediatelyForTests = immediate;
-  }
-
+  
   /** 
    * UgiMetrics maintains UGI activity statistics
    * and publishes them through the metrics interfaces.
@@ -598,20 +586,6 @@ public class UserGroupInformation {
     user.setLogin(login);
   }
 
-  private static Class<?> KEY_TAB_CLASS = KerberosKey.class;
-  static {
-    try {
-      // We use KEY_TAB_CLASS to determine if the UGI is logged in from
-      // keytab. In JDK6 and JDK7, if useKeyTab and storeKey are specified
-      // in the Krb5LoginModule, then some number of KerberosKey objects
-      // are added to the Subject's private credentials. However, in JDK8,
-      // a KeyTab object is added instead. More details in HADOOP-10786.
-      KEY_TAB_CLASS = Class.forName("javax.security.auth.kerberos.KeyTab");
-    } catch (ClassNotFoundException cnfe) {
-      // Ignore. javax.security.auth.kerberos.KeyTab does not exist in JDK6.
-    }
-  }
-
   /**
    * Create a UserGroupInformation for the given subject.
    * This does not change the subject or acquire new credentials.
@@ -620,7 +594,7 @@ public class UserGroupInformation {
   UserGroupInformation(Subject subject) {
     this.subject = subject;
     this.user = subject.getPrincipals(User.class).iterator().next();
-    this.isKeytab = !subject.getPrivateCredentials(KEY_TAB_CLASS).isEmpty();
+    this.isKeytab = !subject.getPrivateCredentials(KerberosKey.class).isEmpty();
     this.isKrbTkt = !subject.getPrivateCredentials(KerberosTicket.class).isEmpty();
   }
   
@@ -976,8 +950,7 @@ public class UserGroupInformation {
         || !isKeytab)
       return;
     KerberosTicket tgt = getTGT();
-    if (tgt != null && !shouldRenewImmediatelyForTests &&
-        Time.now() < getRefreshTime(tgt)) {
+    if (tgt != null && Time.now() < getRefreshTime(tgt)) {
       return;
     }
     reloginFromKeytab();
@@ -1002,14 +975,13 @@ public class UserGroupInformation {
       return;
     
     long now = Time.now();
-    if (!shouldRenewImmediatelyForTests && !hasSufficientTimeElapsed(now)) {
+    if (!hasSufficientTimeElapsed(now)) {
       return;
     }
 
     KerberosTicket tgt = getTGT();
     //Return if TGT is valid and is not going to expire soon.
-    if (tgt != null && !shouldRenewImmediatelyForTests &&
-        now < getRefreshTime(tgt)) {
+    if (tgt != null && now < getRefreshTime(tgt)) {
       return;
     }
     

hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUGILoginFromKeytab.java

@@ -1,91 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.hadoop.security;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.fs.CommonConfigurationKeys;
-import org.apache.hadoop.minikdc.MiniKdc;
-import org.junit.After;
-import org.junit.Assert;
-import org.junit.Before;
-import org.junit.Rule;
-import org.junit.Test;
-import org.junit.rules.TemporaryFolder;
-
-import java.io.File;
-
-/**
- * Verify UGI login from keytab. Check that the UGI is
- * configured to use keytab to catch regressions like
- * HADOOP-10786.
- */
-public class TestUGILoginFromKeytab {
-
-  private MiniKdc kdc;
-  private File workDir;
-
-  @Rule
-  public final TemporaryFolder folder = new TemporaryFolder();
-
-  @Before
-  public void startMiniKdc() throws Exception {
-    // This setting below is required. If not enabled, UGI will abort
-    // any attempt to loginUserFromKeytab.
-    Configuration conf = new Configuration();
-    conf.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION,
-        "kerberos");
-    UserGroupInformation.setConfiguration(conf);
-    workDir = folder.getRoot();
-    kdc = new MiniKdc(MiniKdc.createConf(), workDir);
-    kdc.start();
-  }
-
-  @After
-  public void stopMiniKdc() {
-    if (kdc != null) {
-      kdc.stop();
-    }
-  }
-
-  /**
-   * Login from keytab using the MiniKDC and verify the UGI can successfully
-   * relogin from keytab as well. This will catch regressions like HADOOP-10786.
-   */
-  @Test
-  public void testUGILoginFromKeytab() throws Exception {
-    UserGroupInformation.setShouldRenewImmediatelyForTests(true);
-    String principal = "foo";
-    File keytab = new File(workDir, "foo.keytab");
-    kdc.createPrincipal(keytab, principal);
-
-    UserGroupInformation.loginUserFromKeytab(principal, keytab.getPath());
-    UserGroupInformation ugi = UserGroupInformation.getLoginUser();
-    Assert.assertTrue("UGI should be configured to login from keytab",
-        ugi.isFromKeytab());
-
-    // Verify relogin from keytab.
-    User user = ugi.getSubject().getPrincipals(User.class).iterator().next();
-    final long firstLogin = user.getLastLogin();
-    ugi.reloginFromKeytab();
-    final long secondLogin = user.getLastLogin();
-    Assert.assertTrue("User should have been able to relogin from keytab",
-        secondLogin > firstLogin);
-  }
-
-}