Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HADOOP-19212. Avoid Subject.getSubject method on newer JVMs #7081

Open
wants to merge 4 commits into
base: trunk
Choose a base branch
from
Open

HADOOP-19212. Avoid Subject.getSubject method on newer JVMs #7081

wants to merge 4 commits into from
+195 −8

Commits on Sep 30, 2024

  1. HADOOP-19293. Avoid Subject.getSubject method on newer JVMs 

    In Java 23, Subject.getSubject requires setting the system property java.security.manager to allow, else it will throw an exception.  More detail is available in the release notes: https://jdk.java.net/23/release-notes

This is in support of the eventual removal of the security manager, at which point, Subject.getSubject will be removed.  Since this project supports older Java releases, and the API which one must migrate to was only introduced in Java 18, I hid the implementations behind a runtime version check.  I verified against several local Java versions that the correct classes are loaded (and more importantly, that the incorrect classes are _not_ loaded).  The outright removal of the security manager, and by extension the Subject.getSubject method would be a particularly large problem if we do not address this, which was my motivation here.

Some manual testing on Java 11, 17, and 23:

```
» java --version
openjdk 11.0.23 2024-04-16 LTS
» java -cp hadoop-auth-3.5.0-SNAPSHOT.jar org.apache.hadoop.util.subject.SubjectAdapter
Current subject is null

» java --version
openjdk 17.0.5 2022-10-18 LTS
» java -cp hadoop-auth-3.5.0-SNAPSHOT.jar org.apache.hadoop.util.subject.SubjectAdapter
Current subject is null

» java --version
openjdk 23 2024-09-17
» java -cp hadoop-auth-3.5.0-SNAPSHOT.jar org.apache.hadoop.util.subject.SubjectAdapter
Current subject is null
```

As desired, the class containing the old implementation does not get loaded on a new JVM:
```
» java --version
openjdk 23 2024-09-17
» java -verbose:class -cp hadoop-auth-3.5.0-SNAPSHOT.jar org.apache.hadoop.util.subject.SubjectAdapter | \grep -i subject | grep "class,load" | awk '{print $2}'
org.apache.hadoop.util.subject.SubjectAdapter
org.apache.hadoop.util.subject.HiddenGetSubject
javax.security.auth.Subject
org.apache.hadoop.util.subject.GetSubjectNg
```

And the inverse is true for an older JVM:
```
» java --version
openjdk 17.0.5 2022-10-18 LTS
» java -verbose:class -cp hadoop-auth-3.5.0-SNAPSHOT.jar org.apache.hadoop.util.subject.SubjectAdapter | \grep -i subject | grep "class,load" | awk '{print $2}'
org.apache.hadoop.util.subject.SubjectAdapter
org.apache.hadoop.util.subject.HiddenGetSubject
javax.security.auth.Subject
org.apache.hadoop.util.subject.ClassicGetSubject
javax.security.auth.Subject$1
```
    Justin Brinegar committed Sep 30, 2024
    Configuration menu
    Copy the full SHA
    9541294 View commit details
    Browse the repository at this point in the history

Commits on Oct 3, 2024

  1. review feedback

    Justin Brinegar committed Oct 3, 2024
    Configuration menu
    Copy the full SHA
    e25881e View commit details
    Browse the repository at this point in the history

Commits on Oct 7, 2024

  1. rename away from "getSubject"

    Justin Brinegar committed Oct 7, 2024
    Configuration menu
    Copy the full SHA
    e6e9bd2 View commit details
    Browse the repository at this point in the history

Commits on Oct 16, 2024

  1. review feedback from pan3793

    Justin Brinegar committed Oct 16, 2024
    Configuration menu
    Copy the full SHA
    4325f46 View commit details
    Browse the repository at this point in the history