diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java index 30e65efe10cba..260b865aca761 100644 --- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java +++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java @@ -19,6 +19,7 @@ import org.apache.hadoop.security.authentication.server.HttpConstants; import org.apache.hadoop.security.authentication.util.AuthToken; import org.apache.hadoop.security.authentication.util.KerberosUtil; +import org.apache.hadoop.util.subject.SubjectAdapter; import org.ietf.jgss.GSSContext; import org.ietf.jgss.GSSManager; import org.ietf.jgss.GSSName; @@ -35,8 +36,6 @@ import java.io.IOException; import java.net.HttpURLConnection; import java.net.URL; -import java.security.AccessControlContext; -import java.security.AccessController; import java.security.PrivilegedActionException; import java.security.PrivilegedExceptionAction; import java.util.HashMap; @@ -300,8 +299,7 @@ private boolean isNegotiate(HttpURLConnection conn) throws IOException { private void doSpnegoSequence(final AuthenticatedURL.Token token) throws IOException, AuthenticationException { try { - AccessControlContext context = AccessController.getContext(); - Subject subject = Subject.getSubject(context); + Subject subject = SubjectAdapter.getSubject(); if (subject == null || (!KerberosUtil.hasKerberosKeyTab(subject) && !KerberosUtil.hasKerberosTicket(subject))) { diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/util/subject/ClassicSubjectAdapter.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/util/subject/ClassicSubjectAdapter.java new file mode 100644 index 0000000000000..1ab4801c85eab --- /dev/null +++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/util/subject/ClassicSubjectAdapter.java @@ -0,0 +1,37 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.util.subject; + +import javax.security.auth.Subject; +import java.security.AccessControlContext; +import java.security.AccessController; + +/** + * Calls Subject methods directly, as this class should not be classloaded on Java 18 and above + */ +class ClassicSubjectAdapter implements HiddenSubjectAdapter { + + ClassicSubjectAdapter() {} + + @Override + public Subject getSubject() { + final AccessControlContext context = AccessController.getContext(); + return Subject.getSubject(context); + } +} diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/util/subject/HiddenSubjectAdapter.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/util/subject/HiddenSubjectAdapter.java new file mode 100644 index 0000000000000..e71c5f8357d6c --- /dev/null +++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/util/subject/HiddenSubjectAdapter.java @@ -0,0 +1,25 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.util.subject; + +import javax.security.auth.Subject; + +public interface HiddenSubjectAdapter { + Subject getSubject(); +} diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/util/subject/SubjectAdapter.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/util/subject/SubjectAdapter.java new file mode 100644 index 0000000000000..552ef8af8f6c4 --- /dev/null +++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/util/subject/SubjectAdapter.java @@ -0,0 +1,47 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.util.subject; + +import javax.security.auth.Subject; + +/** + * javax.security.auth.Subject.getSubject is deprecated for removal. + * The replacement API exists only in Java 18 and above. + * This class helps use the newer API if available, without raising the language level. + */ +public class SubjectAdapter { + private static final HiddenSubjectAdapter instance; + static { + int version = 0; + try { + version = Integer.parseInt(System.getProperty("java.specification.version")); + } catch (Throwable ignored) {} + if (version >= 18) { + instance = new SubjectAdapterJava18AndAbove(); + } else { + instance = new ClassicSubjectAdapter(); + } + } + + private SubjectAdapter() {} + + public static Subject getSubject() { + return instance.getSubject(); + } +} diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/util/subject/SubjectAdapterJava18AndAbove.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/util/subject/SubjectAdapterJava18AndAbove.java new file mode 100644 index 0000000000000..1d20535101005 --- /dev/null +++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/util/subject/SubjectAdapterJava18AndAbove.java @@ -0,0 +1,48 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.util.subject; + +import javax.security.auth.Subject; +import java.lang.reflect.InvocationTargetException; +import java.lang.reflect.Method; + +/** + * Indirectly calls Subject.current(), which exists in Java 18 and above only + */ +class SubjectAdapterJava18AndAbove implements HiddenSubjectAdapter { + private final Method currentMethod; + + SubjectAdapterJava18AndAbove() { + try { + currentMethod = Subject.class.getMethod("current"); + } catch (NoSuchMethodException e) { + throw new RuntimeException("Unable to find javax.security.auth.Subject.current() method", e); + } + } + + @Override + public Subject getSubject() { + try { + return (Subject) currentMethod.invoke(null); + } catch (IllegalAccessException | InvocationTargetException e) { + // we would return null, but null has meaning here + throw new RuntimeException("Unable to call Subject.current()", e); + } + } +} diff --git a/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/util/subject/TestSubjectAdapter.java b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/util/subject/TestSubjectAdapter.java new file mode 100644 index 0000000000000..a94e992fd95f9 --- /dev/null +++ b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/util/subject/TestSubjectAdapter.java @@ -0,0 +1,34 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.util.subject; + +import org.junit.jupiter.api.Test; + +import static org.junit.jupiter.api.Assertions.assertDoesNotThrow; + +class TestSubjectAdapter { + + @Test + void getSubject() { + // how getSubject operates depends on the JVM calling it. + // asserting that it does not throw is a valid test, especially on Java 18 and above + // prior to Java 18, this method is just a simple wrapper + assertDoesNotThrow(() -> SubjectAdapter.getSubject()); + } +} diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java index 305e5e10af305..fa4803ab62951 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java @@ -33,8 +33,6 @@ import java.io.File; import java.io.IOException; import java.lang.reflect.UndeclaredThrowableException; -import java.security.AccessControlContext; -import java.security.AccessController; import java.security.Principal; import java.security.PrivilegedAction; import java.security.PrivilegedActionException; @@ -90,6 +88,7 @@ import org.apache.hadoop.util.Shell; import org.apache.hadoop.util.StringUtils; import org.apache.hadoop.util.Time; +import org.apache.hadoop.util.subject.SubjectAdapter; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -585,8 +584,7 @@ public boolean hasKerberosCredentials() { @InterfaceStability.Evolving public static UserGroupInformation getCurrentUser() throws IOException { ensureInitialized(); - AccessControlContext context = AccessController.getContext(); - Subject subject = Subject.getSubject(context); + Subject subject = SubjectAdapter.getSubject(); if (subject == null || subject.getPrincipals(User.class).isEmpty()) { return getLoginUser(); } else {