UGI

Author: pan3793

hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java

@@ -19,6 +19,7 @@
 import org.apache.hadoop.security.authentication.server.HttpConstants;
 import org.apache.hadoop.security.authentication.util.AuthToken;
 import org.apache.hadoop.security.authentication.util.KerberosUtil;
+import org.apache.hadoop.util.SubjectUtil;
 import org.ietf.jgss.GSSContext;
 import org.ietf.jgss.GSSManager;
 import org.ietf.jgss.GSSName;
@@ -35,8 +36,6 @@
 import java.io.IOException;
 import java.net.HttpURLConnection;
 import java.net.URL;
-import java.security.AccessControlContext;
-import java.security.AccessController;
 import java.security.PrivilegedActionException;
 import java.security.PrivilegedExceptionAction;
 import java.util.HashMap;
@@ -300,8 +299,7 @@ private boolean isNegotiate(HttpURLConnection conn) throws IOException {
   private void doSpnegoSequence(final AuthenticatedURL.Token token)
       throws IOException, AuthenticationException {
     try {
-      AccessControlContext context = AccessController.getContext();
-      Subject subject = Subject.getSubject(context);
+      Subject subject = SubjectUtil.current();
       if (subject == null
           || (!KerberosUtil.hasKerberosKeyTab(subject)
               && !KerberosUtil.hasKerberosTicket(subject))) {

hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/util/SubjectUtil.java

@@ -0,0 +1,214 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.util;
+
+import java.lang.invoke.MethodHandle;
+import java.lang.invoke.MethodHandles;
+import java.lang.invoke.MethodType;
+import java.lang.reflect.UndeclaredThrowableException;
+import java.security.PrivilegedAction;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+import java.util.concurrent.Callable;
+import java.util.concurrent.CompletionException;
+
+import javax.security.auth.Subject;
+
+import org.apache.hadoop.classification.InterfaceAudience.Private;
+
+@Private
+public class SubjectUtil {
+  private static MethodHandle CALL_AS;
+  private static MethodHandle CURRENT;
+
+  static {
+    MethodHandles.Lookup lookup = MethodHandles.lookup();
+    try {
+      try {
+        // Subject.doAs() is deprecated for removal and replaced by Subject.callAs().
+        // Lookup first the new API, since for Java versions where both exist, the
+        // new API delegates to the old API (e.g. Java 18, 19 and 20).
+        // Otherwise (e.g. Java 17), lookup the old API.
+        CALL_AS = lookup.findStatic(Subject.class, "callAs",
+            MethodType.methodType(Object.class, Subject.class, Callable.class));
+      } catch (NoSuchMethodException x) {
+        try {
+          // Lookup the old API.
+          MethodType oldSignature = MethodType.methodType(
+              Object.class, Subject.class, PrivilegedExceptionAction.class);
+          MethodHandle doAs = lookup.findStatic(Subject.class, "doAs", oldSignature);
+          // Convert the Callable used in the new API to the PrivilegedAction used
+          // in the old API.
+          MethodType convertSignature = MethodType.methodType(
+              PrivilegedExceptionAction.class, Callable.class);
+          MethodHandle converter = lookup.findStatic(
+              SubjectUtil.class, "callableToPrivilegedExceptionAction", convertSignature);
+          CALL_AS = MethodHandles.filterArguments(doAs, 1, converter);
+        } catch (NoSuchMethodException e) {
+          throw new AssertionError(e);
+        }
+      }
+    } catch (IllegalAccessException e) {
+      throw new AssertionError(e);
+    }
+  }
+
+  static {
+    MethodHandles.Lookup lookup = MethodHandles.lookup();
+    try {
+      // Subject.getSubject(AccessControlContext) is deprecated for removal and
+      // replaced by Subject.current().
+      // Lookup first the new API, since for Java versions where both exists, the
+      // new API delegates to the old API (e.g. Java 18, 19 and 20).
+      // Otherwise (e.g. Java 17), lookup the old API.
+      CURRENT = lookup.findStatic(
+          Subject.class, "current", MethodType.methodType(Subject.class));
+    } catch (NoSuchMethodException e) {
+      MethodHandle getContext = lookupGetContext();
+      MethodHandle getSubject = lookupGetSubject();
+      CURRENT = MethodHandles.filterReturnValue(getContext, getSubject);
+    } catch (IllegalAccessException e) {
+      throw new AssertionError(e);
+    }
+  }
+
+  private static MethodHandle lookupGetSubject() {
+    MethodHandles.Lookup lookup = MethodHandles.lookup();
+    try {
+      Class<?> contextKlass = ClassLoader.getSystemClassLoader()
+          .loadClass("java.security.AccessControlContext");
+      return lookup.findStatic(Subject.class,
+          "getSubject", MethodType.methodType(Subject.class, contextKlass));
+    } catch (ClassNotFoundException | NoSuchMethodException | IllegalAccessException e) {
+      throw new AssertionError(e);
+    }
+  }
+
+  private static MethodHandle lookupGetContext() {
+    try {
+      // Use reflection to work with Java versions that have and don't have
+      // AccessController.
+      Class<?> controllerKlass = ClassLoader.getSystemClassLoader()
+          .loadClass("java.security.AccessController");
+      Class<?> contextKlass = ClassLoader.getSystemClassLoader()
+          .loadClass("java.security.AccessControlContext");
+
+      MethodHandles.Lookup lookup = MethodHandles.lookup();
+      return lookup.findStatic(
+          controllerKlass, "getContext", MethodType.methodType(contextKlass));
+    } catch (ClassNotFoundException | NoSuchMethodException | IllegalAccessException e) {
+      throw new AssertionError(e);
+    }
+  }
+
+  /**
+   * Maps to Subject.callAs() if available, otherwise maps to Subject.doAs().
+   * It also wraps the Callable so that the Subject is propagated to the new thread
+   * in all Java versions.
+   *
+   * @param subject the subject this action runs as
+   * @param action  the action to run
+   * @return the result of the action
+   * @param <T> the type of the result
+   * @throws CompletionException
+   */
+  @SuppressWarnings("unchecked")
+  public static <T> T callAs(Subject subject, Callable<T> action) throws CompletionException {
+    try {
+      return (T) CALL_AS.invoke(subject, action);
+    } catch (PrivilegedActionException e) {
+      throw new CompletionException(e.getCause());
+    } catch (Throwable t) {
+      throw sneakyThrow(t);
+    }
+  }
+
+  /**
+   * Maps action to a Callable, and delegates to callAs(). On older JVMs, the
+   * action may be double wrapped (into Callable, and then back into
+   * PrivilegedAction).
+   *
+   * @param subject the subject this action runs as
+   * @param action action  the action to run
+   * @return the result of the action
+   */
+  public static <T> T doAs(Subject subject, PrivilegedAction<T> action) {
+    return callAs(subject, privilegedActionToCallable(action));
+  }
+
+  /**
+   * Maps action to a Callable, and delegates to callAs(). On older JVMs, the
+   * action may be double wrapped (into Callable, and then back into
+   * PrivilegedAction).
+   *
+   * @param subject the subject this action runs as
+   * @param action action  the action to run
+   * @return the result of the action
+   */
+  public static <T> T doAs(
+      Subject subject, PrivilegedExceptionAction<T> action) throws PrivilegedActionException {
+    try {
+      return callAs(subject, privilegedExceptionActionToCallable(action));
+    } catch (CompletionException ce) {
+      try {
+        Exception cause = (Exception) (ce.getCause());
+        throw new PrivilegedActionException(cause);
+      } catch (ClassCastException castException) {
+        // This should never happen, as PrivilegedExceptionAction should not wrap
+        // non-checked exceptions
+        throw new PrivilegedActionException(new UndeclaredThrowableException(ce.getCause()));
+      }
+    }
+  }
+
+  /**
+   * Maps to Subject.currect() is available, otherwise maps to
+   * Subject.getSubject()
+   *
+   * @return the current subject
+   */
+  public static Subject current() {
+    try {
+      return (Subject) CURRENT.invoke();
+    } catch (Throwable t) {
+      throw sneakyThrow(t);
+    }
+  }
+
+  @SuppressWarnings("unused")
+  private static <T> PrivilegedExceptionAction<T> callableToPrivilegedExceptionAction(
+      Callable<T> callable) {
+    return callable::call;
+  }
+
+  private static <T> Callable<T> privilegedExceptionActionToCallable(
+      PrivilegedExceptionAction<T> action) {
+    return action::run;
+  }
+
+  private static <T> Callable<T> privilegedActionToCallable(
+      PrivilegedAction<T> action) {
+    return action::run;
+  }
+
+  @SuppressWarnings("unchecked")
+  private static <E extends Throwable> RuntimeException sneakyThrow(Throwable e) throws E {
+    throw (E) e;
+  }
+}

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java

@@ -33,8 +33,6 @@
 import java.io.File;
 import java.io.IOException;
 import java.lang.reflect.UndeclaredThrowableException;
-import java.security.AccessControlContext;
-import java.security.AccessController;
 import java.security.Principal;
 import java.security.PrivilegedAction;
 import java.security.PrivilegedActionException;
@@ -89,6 +87,7 @@
 import org.apache.hadoop.security.token.TokenIdentifier;
 import org.apache.hadoop.util.Shell;
 import org.apache.hadoop.util.StringUtils;
+import org.apache.hadoop.util.SubjectUtil;
 import org.apache.hadoop.util.Time;
 
 import org.slf4j.Logger;
@@ -585,8 +584,7 @@ public boolean hasKerberosCredentials() {
   @InterfaceStability.Evolving
   public static UserGroupInformation getCurrentUser() throws IOException {
     ensureInitialized();
-    AccessControlContext context = AccessController.getContext();
-    Subject subject = Subject.getSubject(context);
+    Subject subject = SubjectUtil.current();
     if (subject == null || subject.getPrincipals(User.class).isEmpty()) {
       return getLoginUser();
     } else {
@@ -1936,9 +1934,9 @@ protected Subject getSubject() {
   @InterfaceStability.Evolving
   public <T> T doAs(PrivilegedAction<T> action) {
     tracePrivilegedAction(action);
-    return Subject.doAs(subject, action);
+    return SubjectUtil.doAs(subject, action);
   }
-  
+
   /**
    * Run the given action as the user, potentially throwing an exception.
    * @param <T> the return type of the run method
@@ -1956,7 +1954,7 @@ public <T> T doAs(PrivilegedExceptionAction<T> action
                     ) throws IOException, InterruptedException {
     try {
       tracePrivilegedAction(action);
-      return Subject.doAs(subject, action);
+      return SubjectUtil.doAs(subject, action);
     } catch (PrivilegedActionException pae) {
       Throwable cause = pae.getCause();
       LOG.debug("PrivilegedActionException as: {}", this, cause);