Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Patch UGI to work without security manager #45

Merged
merged 4 commits into from
May 7, 2024
Merged

Conversation

wendigo
Copy link
Contributor

@wendigo wendigo commented Mar 28, 2024

@cla-bot cla-bot bot added the cla-signed label Mar 28, 2024
@wendigo wendigo requested a review from electrum March 28, 2024 18:10
@wendigo wendigo closed this Apr 23, 2024
@electrum electrum reopened this May 1, 2024
pom.xml Show resolved Hide resolved
@wendigo
Copy link
Contributor Author

wendigo commented May 3, 2024

I've tested it locally on the Trino build:

./testing/bin/ptl test run --environment multinode-tls-kerberos -- -g cli,group_by,join,tls
tests               | 2024-05-04 00:05:58 INFO: 21 SUCCEEDED      /      0 FAILED      /      0 SKIPPED

@electrum
Copy link
Member

electrum commented May 7, 2024

I think we also need to change getCurrentUser() to use Subject.current() instead.

Copy link
Member

@findepi findepi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

refactors lgtm, but which part does make it work without security manager?

@electrum
Copy link
Member

electrum commented May 7, 2024

This uses the new Subject.callAs() and Subject.current() methods, replacing the deprecated methods.

@electrum electrum merged commit 2279b97 into master May 7, 2024
5 checks passed
@electrum electrum deleted the serafin/ugi-23 branch May 7, 2024 18:21
@wendigo
Copy link
Contributor Author

wendigo commented May 7, 2024

@findepi it doesn't mean that the SecurityManager isn't used because new methods still call the old code but the old methods will be removed in the future and new implementation for new methods will be provided that doesn't use SecurityManager.

*/
@InterfaceAudience.Public
@InterfaceStability.Evolving
public <T> T doAs(PrivilegedExceptionAction<T> action
Copy link

@mneethiraj mneethiraj Aug 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@wendigo - this version of UserGroupInformation doesn't include existing public method UserGroupInformation.doAs(PrivilegedAction<T> action), which would break any library using this method. Any specific reason to exclude this method? If not, can you please consider adding this method?

https://hadoop.apache.org/docs/stable/api/org/apache/hadoop/security/UserGroupInformation.html#doAs-java.security.PrivilegedAction-

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This Hadoop shading project is only intended for use by Trino, which doesn't use this method. Can you explain more about your use case?

Copy link
Member

@electrum electrum Aug 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We removed the PrivilegedExceptionAction version of this method as it uses javax.security.auth.Subject#doAs which is deprecated for removal as of Java 18.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mneethiraj this is an internal Trino fork, that is only used by Trino afaik. We are on JDK 22 and will switch to 23 soon, so this repo contains fixes and changes that are required by the minimum Java version we use.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This Hadoop shading project is only intended for use by Trino, which doesn't use this method. Can you explain more about your use case?

Yes. a library used in Ranger authorizer for Trino uses UserGroupInformation.doAs(PrivilegedAction<T> action) while calling Apache Ranger to get policies to authorize accesses in Trino. Move to io.trino.hadoop:apache-hadoop version 3.3.5-3 (from 3.3.5-1) broke the authorizer - due to the missing/remoed method UserGroupInformation.doAs(PrivilegedAction<T> action) in this version.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mneethiraj this is an internal Trino fork, that is only used by Trino afaik. We are on JDK 22 and will switch to 23 soon, so this repo contains fixes and changes that are required by the minimum Java version we use.

@wendigo - is it not possible to retain method UserGroupInformation.doAs(PrivilegedAction<T> action) while having its implementation updated to work with JDK 23?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do not plan to

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

any compelling reason??

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These method are deprecated and will be removed so there is no reason to keep them in the fork

@mneethiraj
Copy link

This is a public method in org.apache.hadoop.security.UserGroupInformation; this method has not been deprecated in Hadoop. Removing a public method in a widely used library class is highly risky and can break integrations that are not visible during build in Trino repo. I strongly urge not removing existing public methods.

@wendigo
Copy link
Contributor Author

wendigo commented Aug 6, 2024

@mneethiraj This is Trino fork and it maintains APIs fit for Trino, not Ranger or any other library

@wendigo
Copy link
Contributor Author

wendigo commented Aug 6, 2024

@mneethiraj the solution here is to patch Ranger libraries (and that's what we did in Starburst), not the other way around. Trino project cannot be blocked with using future versions of the JDK because we use some deprecated, to-be-removed APIs.

@mneethiraj
Copy link

@wendigo - thank you for the clarification. This is helpful.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging this pull request may close these issues.

4 participants