HADOOP-19668 Add SubjectInheritingThread to restore pre JDK22 Subject behaviour in Threads

Author: stoty

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/concurrent/SubjectInheritingThread.java

@@ -0,0 +1,148 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.util.concurrent;
+
+import java.security.PrivilegedAction;
+import javax.security.auth.Subject;
+
+import org.apache.hadoop.security.authentication.util.SubjectUtil;
+
+/**
+ * Helper class to restore Subject propagation behavior of threads after the
+ * JEP411/JEP486 changes.
+ * <p>
+ * Java propagates the current Subject to any new Threads in all version up to
+ * Java 21. In Java 22-23 the Subject is only propagated if the SecurityManager
+ * is enabled, while in Java 24+ it is never propagated.
+ * <p>
+ * Hadoop security heavily relies on the original behavior, as Subject is at the
+ * core of JAAS. This class wraps thread. It overrides start() and saves the
+ * Subject of the current thread, and wraps the payload in a
+ * Subject.doAs()/callAs() call to restorere it in the newly created Thread.
+ * <p>
+ * When specifying a Runnable, this class is used in exactly the same way as
+ * Thread.
+ * <p>
+ * {@link #run()} cannot be directly overridden, as that would also override the
+ * subject restoration logic. SubjectInheritingThread provides a {@link work()}
+ * method instead, which is wrapped and invoked by its own final {@link run()}
+ * method.
+ */
+public class SubjectInheritingThread extends Thread {
+
+  private Subject startSubject;
+  // {@link Thread#target} is private, so we need our own
+  private Runnable hadoopTarget;
+
+  /**
+   * Behaves similar to {@link Thread#Thread()} constructor, but the code to run
+   * must be specified by overriding the {@link #work()} instead of the {link
+   * #run()} method.
+   */
+  public SubjectInheritingThread() {
+    super();
+  }
+
+  /**
+   * Behaves similar to {@link Thread#Thread(Runnable)} constructor.
+   */
+  public SubjectInheritingThread(Runnable target) {
+    super();
+    this.hadoopTarget = target;
+  }
+
+  /**
+   * Behaves similar to {@link Thread#Thread(ThreadGroup, Runnable)} constructor.
+   */
+  public SubjectInheritingThread(ThreadGroup group, Runnable target) {
+    // The target passed to Thread has no effect, we only pass it
+    // because there is no super(group) constructor.
+    super(group, target);
+    this.hadoopTarget = target;
+  }
+
+  /**
+   * Behaves similar to {@link Thread#Thread(Runnable, String)} constructor.
+   */
+  public SubjectInheritingThread(Runnable target, String name) {
+    super(name);
+    this.hadoopTarget = target;
+  }
+
+  /**
+   * Behaves similar to {@link Thread#Thread(String)} constructor.
+   */
+  public SubjectInheritingThread(String name) {
+    super(name);
+  }
+
+  /**
+   * Behaves similar to {@link Thread#Thread(ThreadGroup, String)} constructor.
+   */
+  public SubjectInheritingThread(ThreadGroup group, String name) {
+    super(group, name);
+  }
+
+  /**
+   * Behaves similar to {@link Thread#Thread(ThreadGroup, Runnable, String)}
+   * constructor.
+   */
+  public SubjectInheritingThread(ThreadGroup group, Runnable target, String name) {
+    super(group, name);
+    this.hadoopTarget = target;
+  }
+
+  /**
+   * Behaves similar to pre-Java 22 {@link Thread#start()}. It saves the current
+   * Subject before starting the new thread, which is then used as the Subject for
+   * the Runnable or the overridden work() method.
+   */
+  @Override
+  public final void start() {
+    startSubject = SubjectUtil.current();
+    super.start();
+  }
+
+  /**
+   * This is the equivalent of {@link Thread#run()}. Override this instead of
+   * {@link #run()} Subject will be propagated like in pre-Java 22 Thread.
+   */
+  public void work() {
+    if (hadoopTarget != null) {
+      hadoopTarget.run();
+    }
+  }
+
+  /**
+   * This cannot be overridden in this class. Override the {@link #work()} method
+   * instead which behaves like pre-Java 22 {@link Thread#run()}
+   */
+  @Override
+  public final void run() {
+    SubjectUtil.doAs(startSubject, new PrivilegedAction<Void>() {
+
+      @Override
+      public Void run() {
+        work();
+        return null;
+      }
+
+    });
+  }
+}

hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/concurrent/TestSubjectPropagation.java

@@ -0,0 +1,162 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.util.concurrent;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNull;
+
+import java.util.concurrent.Callable;
+
+import javax.security.auth.Subject;
+
+import org.apache.hadoop.security.authentication.util.SubjectUtil;
+import org.apache.hadoop.util.Daemon;
+import org.apache.hadoop.util.Shell;
+import org.junit.jupiter.api.Test;
+
+public class TestSubjectPropagation {
+
+  private Subject childSubject = null;
+
+  @Test
+  public void testSubjectInheritingThreadOverride() {
+    Subject parentSubject = new Subject();
+    childSubject = null;
+
+    SubjectUtil.callAs(parentSubject, new Callable<Void>() {
+      public Void call() throws InterruptedException {
+        SubjectInheritingThread t = new SubjectInheritingThread() {
+          @Override
+          public void work() {
+            childSubject = SubjectUtil.current();
+          }
+        };
+        t.start();
+        t.join(1000);
+        return (Void) null;
+      }
+    });
+
+    assertEquals(parentSubject, childSubject);
+  }
+
+  @Test
+  public void testSubjectInheritingThreadRunnable() {
+    Subject parentSubject = new Subject();
+    childSubject = null;
+
+    SubjectUtil.callAs(parentSubject, new Callable<Void>() {
+      public Void call() throws InterruptedException {
+        Runnable r = new Runnable() {
+          @Override
+          public void run() {
+            childSubject = SubjectUtil.current();
+          }
+        };
+
+        SubjectInheritingThread t = new SubjectInheritingThread(r);
+        t.start();
+        t.join(1000);
+        return (Void) null;
+      }
+    });
+
+    assertEquals(parentSubject, childSubject);
+  }
+
+  @Test
+  public void testThreadOverride() {
+    Subject parentSubject = new Subject();
+    childSubject = null;
+
+    SubjectUtil.callAs(parentSubject, new Callable<Void>() {
+      public Void call() throws InterruptedException {
+
+        Thread t = new Thread() {
+          @Override
+          public void run() {
+            childSubject = SubjectUtil.current();
+          }
+        };
+        t.start();
+        t.join(1000);
+        return (Void) null;
+      }
+    });
+
+    boolean securityManagerEnabled = true;
+    try {
+      SecurityManager sm = System.getSecurityManager();
+      System.setSecurityManager(sm);
+    } catch (UnsupportedOperationException e) {
+      // JDK24+ always throws this
+      securityManagerEnabled = false;
+    } catch (Throwable t) {
+      // don't care
+    }
+
+    if (Shell.isJavaVersionAtLeast(22) && !securityManagerEnabled) {
+      // This is the behaviour that breaks Hadoop authorization
+      assertNull(childSubject);
+    } else {
+      assertEquals(parentSubject, childSubject);
+    }
+  }
+
+  @Test
+  public void testThreadRunnable() {
+    Subject parentSubject = new Subject();
+    childSubject = null;
+
+    SubjectUtil.callAs(parentSubject, new Callable<Void>() {
+      public Void call() throws InterruptedException {
+        Runnable r = new Runnable() {
+          @Override
+          public void run() {
+            childSubject = SubjectUtil.current();
+          }
+        };
+
+        Thread t = new Thread(r);
+        t.start();
+        t.join(1000);
+        return (Void) null;
+      }
+    });
+
+    boolean securityManagerEnabled = true;
+    try {
+      SecurityManager sm = System.getSecurityManager();
+      System.setSecurityManager(sm);
+    } catch (UnsupportedOperationException e) {
+      // JDK24+ always throws this
+      securityManagerEnabled = false;
+    } catch (Throwable t) {
+      // don't care
+    }
+
+    if (Shell.isJavaVersionAtLeast(22) && !securityManagerEnabled) {
+      // This is the behaviour that breaks Hadoop authorization
+      assertNull(childSubject);
+    } else {
+      assertEquals(parentSubject, childSubject);
+    }
+  }
+
+}