Patch UGI to work without security manager

[wendigo]

https://bugs.openjdk.org/browse/JDK-8327134

[wendigo]

I've tested it locally on the Trino build:

./testing/bin/ptl test run --environment multinode-tls-kerberos -- -g cli,group_by,join,tls
tests               | 2024-05-04 00:05:58 INFO: 21 SUCCEEDED      /      0 FAILED      /      0 SKIPPED

[electrum]

I think we also need to change getCurrentUser() to use Subject.current() instead.

[findepi]

refactors lgtm, but which part does make it work without security manager?

[electrum]

This uses the new Subject.callAs() and Subject.current() methods, replacing the deprecated methods.

[wendigo]

@findepi it doesn't mean that the SecurityManager isn't used because new methods still call the old code but the old methods will be removed in the future and new implementation for new methods will be provided that doesn't use SecurityManager.

[mneethiraj]

@wendigo - this version of UserGroupInformation doesn't include existing public method UserGroupInformation.doAs(PrivilegedAction<T> action), which would break any library using this method. Any specific reason to exclude this method? If not, can you please consider adding this method?

https://hadoop.apache.org/docs/stable/api/org/apache/hadoop/security/UserGroupInformation.html#doAs-java.security.PrivilegedAction-

[electrum]

This Hadoop shading project is only intended for use by Trino, which doesn't use this method. Can you explain more about your use case?

[electrum]

We removed the PrivilegedExceptionAction version of this method as it uses javax.security.auth.Subject#doAs which is deprecated for removal as of Java 18.

[wendigo]

@mneethiraj this is an internal Trino fork, that is only used by Trino afaik. We are on JDK 22 and will switch to 23 soon, so this repo contains fixes and changes that are required by the minimum Java version we use.

[mneethiraj]

This Hadoop shading project is only intended for use by Trino, which doesn't use this method. Can you explain more about your use case?

Yes. a library used in Ranger authorizer for Trino uses UserGroupInformation.doAs(PrivilegedAction<T> action) while calling Apache Ranger to get policies to authorize accesses in Trino. Move to io.trino.hadoop:apache-hadoop version 3.3.5-3 (from 3.3.5-1) broke the authorizer - due to the missing/remoed method UserGroupInformation.doAs(PrivilegedAction<T> action) in this version.

[mneethiraj]

@mneethiraj this is an internal Trino fork, that is only used by Trino afaik. We are on JDK 22 and will switch to 23 soon, so this repo contains fixes and changes that are required by the minimum Java version we use.

@wendigo - is it not possible to retain method UserGroupInformation.doAs(PrivilegedAction<T> action) while having its implementation updated to work with JDK 23?

[wendigo]

We do not plan to

[mneethiraj]

any compelling reason??

[wendigo]

These method are deprecated and will be removed so there is no reason to keep them in the fork

[mneethiraj]

This is a public method in org.apache.hadoop.security.UserGroupInformation; this method has not been deprecated in Hadoop. Removing a public method in a widely used library class is highly risky and can break integrations that are not visible during build in Trino repo. I strongly urge not removing existing public methods.

[wendigo]

@mneethiraj This is Trino fork and it maintains APIs fit for Trino, not Ranger or any other library

[wendigo]

@mneethiraj the solution here is to patch Ranger libraries (and that's what we did in Starburst), not the other way around. Trino project cannot be blocked with using future versions of the JDK because we use some deprecated, to-be-removed APIs.

[mneethiraj]

@wendigo - thank you for the clarification. This is helpful.