Details

    • Hadoop Flags:
      Reviewed

      Description

      Krb5LoginModule changed subtly in java 8: in particular, if useKeyTab and storeKey are specified, then only a KeyTab object is added to the Subject's private credentials, whereas in java <= 7 both a KeyTab and some number of KerberosKey objects were added.

      The UGI constructor checks whether or not a keytab was used to login by looking if there are any KerberosKey objects in the Subject's private credentials. If there are, then isKeyTab is set to true, and otherwise it's set to false.

      Thus, in java 8 isKeyTab is always false given the current UGI implementation, which makes UGI#reloginFromKeytab fail silently.

      Attached patch will check for a KeyTab object on the Subject, instead of a KerberosKey object. This fixes relogins from kerberos keytabs on Oracle java 8, and works on Oracle java 7 as well.

        Attachments

        1. HADOOP-10786.patch
          1 kB
          Tobi Vollebregt
        2. HADOOP-10786.5.patch
          7 kB
          Stephen Chu
        3. HADOOP-10786.4.patch
          7 kB
          Stephen Chu
        4. HADOOP-10786.3.patch
          7 kB
          Stephen Chu
        5. HADOOP-10786.3.patch
          7 kB
          Stephen Chu
        6. HADOOP-10786.2.patch
          7 kB
          Stephen Chu

          Issue Links

            Activity

              People

              • Assignee:
                schu Stephen Chu
                Reporter:
                Tobi Tobi Vollebregt
              • Votes:
                1 Vote for this issue
                Watchers:
                29 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: