HADOOP-19668 optimization: Use native subject inheritance if supported

Author: stoty

hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/SubjectUtil.java

@@ -18,6 +18,9 @@
 
 package org.apache.hadoop.security.authentication.util;
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNull;
+
 import java.lang.invoke.MethodHandle;
 import java.lang.invoke.MethodHandles;
 import java.lang.invoke.MethodType;
@@ -56,6 +59,13 @@ public final class SubjectUtil {
       HAS_CALL_AS ? null : lookupDoAsThrowException();
   private static final MethodHandle CURRENT = lookupCurrent();
 
+  // copied from org.apache.hadoop.util.Shell to break circular dependency
+  // "1.8"->8, "9"->9, "10"->10
+  private static final int JAVA_SPEC_VER = Math.max(8,
+      Integer.parseInt(System.getProperty("java.specification.version").split("\\.")[0]));
+
+  public static final boolean THREAD_INHERITS_SUBJECT = checkThreadInheritsSubject();
+
   private static MethodHandle lookupCallAs() {
     MethodHandles.Lookup lookup = MethodHandles.lookup();
     try {
@@ -71,6 +81,23 @@ private static MethodHandle lookupCallAs() {
     }
   }
 
+  private static boolean checkThreadInheritsSubject() {
+
+    boolean securityManagerEnabled = true;
+    try {
+      SecurityManager sm = System.getSecurityManager();
+      System.setSecurityManager(sm);
+    } catch (UnsupportedOperationException e) {
+      // JDK24+ always throws this, so we don't need to check for that
+      // separately
+      securityManagerEnabled = false;
+    } catch (Throwable t) {
+      // don't care
+    }
+
+    return JAVA_SPEC_VER < 22 || securityManagerEnabled;
+  }
+
   private static MethodHandle lookupDoAs() {
     MethodHandles.Lookup lookup = MethodHandles.lookup();
     try {

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/Daemon.java

@@ -45,7 +45,9 @@ public class Daemon extends Thread {
 
   @Override
   public final void start() {
-    startSubject = SubjectUtil.current();
+    if (!SubjectUtil.THREAD_INHERITS_SUBJECT) {
+      startSubject = SubjectUtil.current();
+    }
     super.start();
   }
 
@@ -60,15 +62,19 @@ public void work() {
 
   @Override
   public final void run() {
-    SubjectUtil.doAs(startSubject, new PrivilegedAction<Void>() {
-
-      @Override
-      public Void run() {
-        work();
-        return null;
-      }
-
-    });
+    if (!SubjectUtil.THREAD_INHERITS_SUBJECT) {
+      SubjectUtil.doAs(startSubject, new PrivilegedAction<Void>() {
+
+        @Override
+        public Void run() {
+          work();
+          return null;
+        }
+
+      });
+    } else {
+      work();
+    }
   }
 
   {

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/concurrent/SubjectInheritingThread.java

@@ -161,7 +161,9 @@ public SubjectInheritingThread(ThreadGroup group, Runnable target, String name)
    */
   @Override
   public final void start() {
-    startSubject = SubjectUtil.current();
+    if (!SubjectUtil.THREAD_INHERITS_SUBJECT) {
+      startSubject = SubjectUtil.current();
+    }
     super.start();
   }
 
@@ -181,14 +183,18 @@ public void work() {
    */
   @Override
   public final void run() {
-    SubjectUtil.doAs(startSubject, new PrivilegedAction<Void>() {
-
-      @Override
-      public Void run() {
-        work();
-        return null;
-      }
-
-    });
+    if (!SubjectUtil.THREAD_INHERITS_SUBJECT) {
+      SubjectUtil.doAs(startSubject, new PrivilegedAction<Void>() {
+
+        @Override
+        public Void run() {
+          work();
+          return null;
+        }
+
+      });
+    } else {
+      work();
+    }
   }
 }

hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/concurrent/TestSubjectPropagation.java

@@ -146,22 +146,11 @@ public void run() {
       }
     });
 
-    boolean securityManagerEnabled = true;
-    try {
-      SecurityManager sm = System.getSecurityManager();
-      System.setSecurityManager(sm);
-    } catch (UnsupportedOperationException e) {
-      // JDK24+ always throws this
-      securityManagerEnabled = false;
-    } catch (Throwable t) {
-      // don't care
-    }
-
-    if (Shell.isJavaVersionAtLeast(22) && !securityManagerEnabled) {
+    if (SubjectUtil.THREAD_INHERITS_SUBJECT) {
+      assertEquals(parentSubject, childSubject);
+    } else {
       // This is the behaviour that breaks Hadoop authorization
       assertNull(childSubject);
-    } else {
-      assertEquals(parentSubject, childSubject);
     }
   }
 
@@ -186,22 +175,11 @@ public void run() {
       }
     });
 
-    boolean securityManagerEnabled = true;
-    try {
-      SecurityManager sm = System.getSecurityManager();
-      System.setSecurityManager(sm);
-    } catch (UnsupportedOperationException e) {
-      // JDK24+ always throws this
-      securityManagerEnabled = false;
-    } catch (Throwable t) {
-      // don't care
-    }
-
-    if (Shell.isJavaVersionAtLeast(22) && !securityManagerEnabled) {
+    if (SubjectUtil.THREAD_INHERITS_SUBJECT) {
+      assertEquals(parentSubject, childSubject);
+    } else {
       // This is the behaviour that breaks Hadoop authorization
       assertNull(childSubject);
-    } else {
-      assertEquals(parentSubject, childSubject);
     }
   }