@Override public Subject run() { return SecurityUtil.getSubjectFromTicketCacheOrNull(); } });
private static Pair<SubjectType, Subject> setupSubject() { AccessControlContext context = AccessController.getContext(); Subject subject = Subject.getSubject(context); if (subject != null) { if (!subject.getPrincipals(KerberosPrincipal.class).isEmpty()) { LOG.debug("Using caller-provided subject with Kerberos principal {}. " + "Caller is responsible for refreshing credentials.", SecurityUtil.getKerberosPrincipalOrNull(subject)); return new Pair<>(SubjectType.PROVIDED, subject); } LOG.debug("Caller-provided subject {} does not have any Kerberos credentials. " + "Ignoring it.", subject.toString()); } subject = SecurityUtil.getSubjectFromTicketCacheOrNull(); if (subject != null) { return new Pair<>(SubjectType.CREATED, subject); } // If we weren't able to login from a ticket cache when we create the client, // we shouldn't later pick one up. return new Pair<>(SubjectType.NONE, null); }
startCluster(ImmutableSet.of(Option.SHORT_TOKENS_AND_TICKETS)); Subject subject = SecurityUtil.getSubjectFromTicketCacheOrNull(); Assert.assertNotNull(subject); try (Closeable c = cla.attach()) { Subject newSubject = SecurityUtil.getSubjectFromTicketCacheOrNull(); subject.getPrivateCredentials().clear(); subject.getPrivateCredentials().addAll(newSubject.getPrivateCredentials());
/** * Test that, if an externally-provided subject is used when the client * is created, the client will not attempt to refresh anything, and will * eventually fail with appropriate warnings in the log. */ @Test(timeout=300000) public void testExternallyProvidedSubjectExpires() throws Exception { startCluster(ImmutableSet.of(Option.SHORT_TOKENS_AND_TICKETS)); Subject subject = SecurityUtil.getSubjectFromTicketCacheOrNull(); Assert.assertNotNull(subject); try (Closeable c = cla.attach()) { // Create a client attached to our own subject. KuduClient newClient = createClientFromSubject(subject); // It should not get auto-refreshed. try { assertEventualAuthenticationFailure(newClient, "server requires authentication, but " + "client Kerberos credentials (TGT) have expired"); } finally { newClient.close(); } } Assert.assertThat(cla.getAppendedText(), CoreMatchers.containsString( "Using caller-provided subject with Kerberos principal test-admin@KRBTEST.COM.")); Assert.assertThat(cla.getAppendedText(), CoreMatchers.containsString( "Caller-provided Subject has a Kerberos ticket that is about to expire")); }