HADOOP-19212. Avoid Subject.getSubject method on newer JVMs

[jbrinegar]

In Java 23, Subject.getSubject requires setting the system property java.security.manager to allow, else it will throw an exception. More detail is available in the release notes: https://jdk.java.net/23/release-notes

This is in support of the eventual removal of the security manager, at which point, Subject.getSubject will be removed. Since this project supports older Java releases, and the API which one must migrate to was only introduced in Java 18, I hid the implementations behind a runtime version check. I verified against several local Java versions that the correct classes are loaded (and more importantly, that the incorrect classes are not loaded). The outright removal of the security manager, and by extension the Subject.getSubject method would be a particularly large problem if we do not address this, which was my motivation here.

Some manual testing on Java 11, 17, and 23:

» java --version
openjdk 11.0.23 2024-04-16 LTS
» java -cp hadoop-auth-3.5.0-SNAPSHOT.jar org.apache.hadoop.util.subject.SubjectAdapter
Current subject is null

» java --version
openjdk 17.0.5 2022-10-18 LTS
» java -cp hadoop-auth-3.5.0-SNAPSHOT.jar org.apache.hadoop.util.subject.SubjectAdapter
Current subject is null

» java --version
openjdk 23 2024-09-17
» java -cp hadoop-auth-3.5.0-SNAPSHOT.jar org.apache.hadoop.util.subject.SubjectAdapter
Current subject is null

As desired, the class containing the old implementation does not get loaded on a new JVM:

» java --version
openjdk 23 2024-09-17
» java -verbose:class -cp hadoop-auth-3.5.0-SNAPSHOT.jar org.apache.hadoop.util.subject.SubjectAdapter | \grep -i subject | grep "class,load" | awk '{print $2}'
org.apache.hadoop.util.subject.SubjectAdapter
org.apache.hadoop.util.subject.HiddenGetSubject
javax.security.auth.Subject
org.apache.hadoop.util.subject.GetSubjectNg

And the inverse is true for an older JVM:

» java --version
openjdk 17.0.5 2022-10-18 LTS
» java -verbose:class -cp hadoop-auth-3.5.0-SNAPSHOT.jar org.apache.hadoop.util.subject.SubjectAdapter | \grep -i subject | grep "class,load" | awk '{print $2}'
org.apache.hadoop.util.subject.SubjectAdapter
org.apache.hadoop.util.subject.HiddenGetSubject
javax.security.auth.Subject
org.apache.hadoop.util.subject.ClassicGetSubject
javax.security.auth.Subject$1

Description of PR

How was this patch tested?

For code changes:

• Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'HADOOP-17799. Your PR title ...')?
• Object storage: have the integration tests been executed and the endpoint declared according to the connector-specific documentation?
• If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
• If applicable, have you updated the LICENSE, LICENSE-binary, NOTICE-binary files?

[hadoop-yetus]

🎊 +1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	0m 48s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	codespell	0m 0s		codespell was not available.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
+1 💚	test4tests	0m 0s		The patch appears to include 1 new or modified test files.
			_ trunk Compile Tests _
+0 🆗	mvndep	14m 56s		Maven dependency ordering for branch
+1 💚	mvninstall	37m 42s		trunk passed
+1 💚	compile	19m 49s		trunk passed with JDK Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu320.04
+1 💚	compile	18m 16s		trunk passed with JDK Private Build-1.8.0_422-8u422-b05-1~20.04-b05
+1 💚	checkstyle	1m 28s		trunk passed
+1 💚	mvnsite	2m 27s		trunk passed
+1 💚	javadoc	2m 3s		trunk passed with JDK Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu320.04
+1 💚	javadoc	1m 34s		trunk passed with JDK Private Build-1.8.0_422-8u422-b05-1~20.04-b05
+1 💚	spotbugs	3m 31s		trunk passed
+1 💚	shadedclient	41m 40s		branch has no errors when building and testing our client artifacts.
			_ Patch Compile Tests _
+0 🆗	mvndep	0m 32s		Maven dependency ordering for patch
+1 💚	mvninstall	1m 19s		the patch passed
+1 💚	compile	18m 46s		the patch passed with JDK Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu320.04
+1 💚	javac	18m 46s		the patch passed
+1 💚	compile	18m 16s		the patch passed with JDK Private Build-1.8.0_422-8u422-b05-1~20.04-b05
+1 💚	javac	18m 16s		the patch passed
+1 💚	blanks	0m 0s		The patch has no blanks issues.
-0 ⚠️	checkstyle	1m 23s	/results-checkstyle-hadoop-common-project.txt	hadoop-common-project: The patch generated 50 new + 73 unchanged - 0 fixed = 123 total (was 73)
+1 💚	mvnsite	2m 28s		the patch passed
+1 💚	javadoc	1m 55s		the patch passed with JDK Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu320.04
+1 💚	javadoc	1m 33s		the patch passed with JDK Private Build-1.8.0_422-8u422-b05-1~20.04-b05
+1 💚	spotbugs	3m 52s		the patch passed
+1 💚	shadedclient	42m 46s		patch has no errors when building and testing our client artifacts.
			_ Other Tests _
+1 💚	unit	3m 27s		hadoop-auth in the patch passed.
+1 💚	unit	19m 35s		hadoop-common in the patch passed.
+1 💚	asflicense	1m 4s		The patch does not generate ASF License warnings.
		262m 23s

Subsystem	Report/Notes
Docker	ClientAPI=1.47 ServerAPI=1.47 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7081/1/artifact/out/Dockerfile
GITHUB PR	#7081
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient spotbugs checkstyle codespell detsecrets
uname	Linux 18e6ff302126 5.15.0-118-generic #128-Ubuntu SMP Fri Jul 5 09:28:59 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	trunk / 9541294
Default Java	Private Build-1.8.0_422-8u422-b05-1~20.04-b05
Multi-JDK versions	/usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu320.04 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_422-8u422-b05-1~20.04-b05
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7081/1/testReport/
Max. process+thread count	3134 (vs. ulimit of 5500)
modules	C: hadoop-common-project/hadoop-auth hadoop-common-project/hadoop-common U: hadoop-common-project
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7081/1/console
versions	git=2.25.1 maven=3.6.3 spotbugs=4.2.2
Powered by	Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

[jojochuang]

Make sense to me. There's a checkstyle warning but glad it's not a big change.
Are you finding other issues with JDK23? I know it's just come out this month.

[jbrinegar]

I am happy to report no other issues. This Subject usage in hadoop-common impacts a great many projects, so -Djava.security.manager=allow had to be sprinkled around to get things booting on Java 23.

[jojochuang]

Ok sounds like we should get it backported to 3.4.x and 3.3.x too.

[jbrinegar]

@steveloughran PR for HADOOP-19212. I updated the title to reflect the duplicate change.

[steveloughran]

this is great! we'd been warned about this but nobody had written the code.

I've made some comments. Can you also change the title to that of the previous JIRA on this. Thanks

[steveloughran]

Use DynMethods

[jbrinegar]

This class, and all classes added in this PR, are in the hadoop-auth module because Subject.getSubject is used in both hadoop-auth (KerberosAuthenticator) and hadoop-common (UserGroupInformation). hadoop-common depends on hadoop-auth, so that seemed like a reasonable fit.

DynMethods, however, resides in hadoop-common, and thus it cannot be used in hadoop-auth.

How would you like me to proceed?

[stoty]

@steveloughran ,
@jbrinegar 's point is valid.

How do you propose solving the circular dependency issue ?
Should the DynMethods code be copied to hadoop-auth ?
Is there some suiteable small external dependency that provides DynMethods ?

[pan3793]

moving Dyn* to hadoop-auth module? then they can be consumed by every hadoop module.

[stoty]

I agree.
I've just confirmed that hadoop-common already depends on hadoop-auth, so the move should be transparent to all users.

[steveloughran]

Use Shell.isJavaVersionAtLeast(18)

[jbrinegar]

My comment about dependencies applies to Shell as well. Let me know how you'd like to proceed with this one as well.

[stoty]

IMO testing trying to load the new classes and failing over to the old classes if they cannot be found would be more robust.

[steveloughran]

IMO testing trying to load the new classes and failing over to the old classes if they cannot be found would be more robust.

interesting thought.

how about

• we avoid Subject
• pull the string on L33 to a constant

[steveloughran]

@stoty interesting thought about attempting and fallbacks

We'd try the java18+ first & fall back to java <= 17 otherwise? or do it in the opposite direction, at least for now?

[jbrinegar]

@steveloughran thank you for the review. I have pushed a second commit that addresses feedback marked with 👍. The title of this PR was updated to include "HADOOP-19212." as a prefix. I am happy to rebase/squash once review is complete, if squashing is necessary.

Due to dependencies, I cannot use DynMethods and Shell, and so those requests are not completed. Let me know how you wish for me to proceed there.

[hadoop-yetus]

🎊 +1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	17m 46s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	codespell	0m 1s		codespell was not available.
+0 🆗	detsecrets	0m 1s		detect-secrets was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
+1 💚	test4tests	0m 0s		The patch appears to include 1 new or modified test files.
			_ trunk Compile Tests _
+0 🆗	mvndep	14m 59s		Maven dependency ordering for branch
+1 💚	mvninstall	37m 16s		trunk passed
+1 💚	compile	20m 6s		trunk passed with JDK Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu320.04
+1 💚	compile	18m 50s		trunk passed with JDK Private Build-1.8.0_422-8u422-b05-1~20.04-b05
+1 💚	checkstyle	1m 27s		trunk passed
+1 💚	mvnsite	2m 31s		trunk passed
+1 💚	javadoc	2m 3s		trunk passed with JDK Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu320.04
+1 💚	javadoc	1m 34s		trunk passed with JDK Private Build-1.8.0_422-8u422-b05-1~20.04-b05
+1 💚	spotbugs	3m 36s		trunk passed
+1 💚	shadedclient	48m 24s		branch has no errors when building and testing our client artifacts.
-0 ⚠️	patch	48m 51s		Used diff version of patch file. Binary files and potentially other changes not applied. Please rebase and squash commits if necessary.
			_ Patch Compile Tests _
+0 🆗	mvndep	0m 33s		Maven dependency ordering for patch
+1 💚	mvninstall	1m 19s		the patch passed
+1 💚	compile	19m 7s		the patch passed with JDK Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu320.04
+1 💚	javac	19m 7s		the patch passed
+1 💚	compile	18m 12s		the patch passed with JDK Private Build-1.8.0_422-8u422-b05-1~20.04-b05
+1 💚	javac	18m 12s		the patch passed
+1 💚	blanks	0m 0s		The patch has no blanks issues.
-0 ⚠️	checkstyle	1m 22s	/results-checkstyle-hadoop-common-project.txt	hadoop-common-project: The patch generated 53 new + 73 unchanged - 0 fixed = 126 total (was 73)
+1 💚	mvnsite	2m 27s		the patch passed
+1 💚	javadoc	1m 55s		the patch passed with JDK Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu320.04
+1 💚	javadoc	1m 33s		the patch passed with JDK Private Build-1.8.0_422-8u422-b05-1~20.04-b05
+1 💚	spotbugs	3m 54s		the patch passed
+1 💚	shadedclient	42m 43s		patch has no errors when building and testing our client artifacts.
			_ Other Tests _
+1 💚	unit	3m 28s		hadoop-auth in the patch passed.
+1 💚	unit	19m 32s		hadoop-common in the patch passed.
+1 💚	asflicense	1m 4s		The patch does not generate ASF License warnings.
		286m 44s

Subsystem	Report/Notes
Docker	ClientAPI=1.47 ServerAPI=1.47 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7081/2/artifact/out/Dockerfile
GITHUB PR	#7081
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient spotbugs checkstyle codespell detsecrets
uname	Linux 37e27de92584 5.15.0-118-generic #128-Ubuntu SMP Fri Jul 5 09:28:59 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	trunk / e25881e
Default Java	Private Build-1.8.0_422-8u422-b05-1~20.04-b05
Multi-JDK versions	/usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu320.04 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_422-8u422-b05-1~20.04-b05
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7081/2/testReport/
Max. process+thread count	3134 (vs. ulimit of 5500)
modules	C: hadoop-common-project/hadoop-auth hadoop-common-project/hadoop-common U: hadoop-common-project
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7081/2/console
versions	git=2.25.1 maven=3.6.3 spotbugs=4.2.2
Powered by	Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

[hadoop-yetus]

🎊 +1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	17m 35s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	codespell	0m 0s		codespell was not available.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
+1 💚	test4tests	0m 0s		The patch appears to include 1 new or modified test files.
			_ trunk Compile Tests _
+0 🆗	mvndep	15m 11s		Maven dependency ordering for branch
+1 💚	mvninstall	36m 57s		trunk passed
+1 💚	compile	19m 59s		trunk passed with JDK Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu320.04
+1 💚	compile	18m 16s		trunk passed with JDK Private Build-1.8.0_422-8u422-b05-1~20.04-b05
+1 💚	checkstyle	1m 24s		trunk passed
+1 💚	mvnsite	2m 29s		trunk passed
+1 💚	javadoc	2m 5s		trunk passed with JDK Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu320.04
+1 💚	javadoc	1m 33s		trunk passed with JDK Private Build-1.8.0_422-8u422-b05-1~20.04-b05
+1 💚	spotbugs	3m 36s		trunk passed
+1 💚	shadedclient	41m 55s		branch has no errors when building and testing our client artifacts.
-0 ⚠️	patch	42m 23s		Used diff version of patch file. Binary files and potentially other changes not applied. Please rebase and squash commits if necessary.
			_ Patch Compile Tests _
+0 🆗	mvndep	0m 33s		Maven dependency ordering for patch
+1 💚	mvninstall	1m 19s		the patch passed
+1 💚	compile	19m 5s		the patch passed with JDK Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu320.04
+1 💚	javac	19m 5s		the patch passed
+1 💚	compile	18m 8s		the patch passed with JDK Private Build-1.8.0_422-8u422-b05-1~20.04-b05
+1 💚	javac	18m 8s		the patch passed
+1 💚	blanks	0m 0s		The patch has no blanks issues.
-0 ⚠️	checkstyle	1m 23s	/results-checkstyle-hadoop-common-project.txt	hadoop-common-project: The patch generated 53 new + 73 unchanged - 0 fixed = 126 total (was 73)
+1 💚	mvnsite	2m 26s		the patch passed
+1 💚	javadoc	1m 57s		the patch passed with JDK Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu320.04
+1 💚	javadoc	1m 34s		the patch passed with JDK Private Build-1.8.0_422-8u422-b05-1~20.04-b05
+1 💚	spotbugs	3m 50s		the patch passed
+1 💚	shadedclient	42m 24s		patch has no errors when building and testing our client artifacts.
			_ Other Tests _
+1 💚	unit	3m 29s		hadoop-auth in the patch passed.
+1 💚	unit	19m 37s		hadoop-common in the patch passed.
+1 💚	asflicense	1m 4s		The patch does not generate ASF License warnings.
		278m 55s

Subsystem	Report/Notes
Docker	ClientAPI=1.47 ServerAPI=1.47 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7081/3/artifact/out/Dockerfile
GITHUB PR	#7081
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient spotbugs checkstyle codespell detsecrets
uname	Linux 9fc8ff5d88eb 5.15.0-118-generic #128-Ubuntu SMP Fri Jul 5 09:28:59 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	trunk / e6e9bd2
Default Java	Private Build-1.8.0_422-8u422-b05-1~20.04-b05
Multi-JDK versions	/usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu320.04 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_422-8u422-b05-1~20.04-b05
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7081/3/testReport/
Max. process+thread count	1294 (vs. ulimit of 5500)
modules	C: hadoop-common-project/hadoop-auth hadoop-common-project/hadoop-common U: hadoop-common-project
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7081/3/console
versions	git=2.25.1 maven=3.6.3 spotbugs=4.2.2
Powered by	Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

[pan3793]

lgtm except for 2 minor issues.

[AlanBateman]

JEP 486: Permanently Disable the Security Manager is on the JDK's technical roadmap. As part of the changes (PR in review) will be for Subject.current to throw unconditionally, meaning the workaround to allow a SecurityManager will no longer work. So the timing of the PR here is good.

[hadoop-yetus]

💔 -1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	38m 36s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	codespell	0m 0s		codespell was not available.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
+1 💚	test4tests	0m 0s		The patch appears to include 1 new or modified test files.
			_ trunk Compile Tests _
+0 🆗	mvndep	16m 22s		Maven dependency ordering for branch
-1 ❌	mvninstall	5m 38s	/branch-mvninstall-root.txt	root in trunk failed.
+1 💚	compile	36m 52s		trunk passed with JDK Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu320.04
-1 ❌	compile	9m 6s	/branch-compile-root-jdkPrivateBuild-1.8.0_422-8u422-b05-1~20.04-b05.txt	root in trunk failed with JDK Private Build-1.8.0_422-8u422-b05-1~20.04-b05.
+1 💚	checkstyle	1m 58s		trunk passed
+1 💚	mvnsite	3m 45s		trunk passed
+1 💚	javadoc	3m 7s		trunk passed with JDK Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu320.04
+1 💚	javadoc	2m 14s		trunk passed with JDK Private Build-1.8.0_422-8u422-b05-1~20.04-b05
+1 💚	spotbugs	4m 52s		trunk passed
+1 💚	shadedclient	47m 24s		branch has no errors when building and testing our client artifacts.
-0 ⚠️	patch	47m 51s		Used diff version of patch file. Binary files and potentially other changes not applied. Please rebase and squash commits if necessary.
			_ Patch Compile Tests _
+0 🆗	mvndep	0m 33s		Maven dependency ordering for patch
+1 💚	mvninstall	1m 20s		the patch passed
+1 💚	compile	19m 36s		the patch passed with JDK Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu320.04
+1 💚	javac	19m 36s		the patch passed
+1 💚	compile	17m 59s		the patch passed with JDK Private Build-1.8.0_422-8u422-b05-1~20.04-b05
+1 💚	javac	17m 59s		the patch passed
+1 💚	blanks	0m 0s		The patch has no blanks issues.
-0 ⚠️	checkstyle	1m 26s	/results-checkstyle-hadoop-common-project.txt	hadoop-common-project: The patch generated 46 new + 73 unchanged - 0 fixed = 119 total (was 73)
+1 💚	mvnsite	2m 26s		the patch passed
+1 💚	javadoc	1m 56s		the patch passed with JDK Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu320.04
+1 💚	javadoc	1m 35s		the patch passed with JDK Private Build-1.8.0_422-8u422-b05-1~20.04-b05
+1 💚	spotbugs	3m 56s		the patch passed
+1 💚	shadedclient	42m 48s		patch has no errors when building and testing our client artifacts.
			_ Other Tests _
+1 💚	unit	3m 29s		hadoop-auth in the patch passed.
+1 💚	unit	19m 35s		hadoop-common in the patch passed.
+1 💚	asflicense	1m 4s		The patch does not generate ASF License warnings.
		288m 31s

Subsystem	Report/Notes
Docker	ClientAPI=1.47 ServerAPI=1.47 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7081/4/artifact/out/Dockerfile
GITHUB PR	#7081
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient spotbugs checkstyle codespell detsecrets
uname	Linux d3c644186516 5.15.0-118-generic #128-Ubuntu SMP Fri Jul 5 09:28:59 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	trunk / 4325f46
Default Java	Private Build-1.8.0_422-8u422-b05-1~20.04-b05
Multi-JDK versions	/usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu320.04 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_422-8u422-b05-1~20.04-b05
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7081/4/testReport/
Max. process+thread count	3098 (vs. ulimit of 5500)
modules	C: hadoop-common-project/hadoop-auth hadoop-common-project/hadoop-common U: hadoop-common-project
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7081/4/console
versions	git=2.25.1 maven=3.6.3 spotbugs=4.2.2
Powered by	Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

[jbrinegar]

I am not sure I have the permissions to retrigger the failing checks. Ultimate failure was on the remote side:

[WARNING] c++: fatal error: cannot execute ‘as’: vfork: Resource temporarily unavailable
[WARNING] compilation terminated.
[WARNING] make[2]: *** [main/native/libhdfspp/tests/CMakeFiles/user_lock_test.dir/build.make:63: main/native/libhdfspp/tests/CMakeFiles/user_lock_test.dir/user_lock_test.cc.o] Error 1

This java code compiles just fine:

[INFO] Reactor Summary for Apache Hadoop Common Project 3.5.0-SNAPSHOT:
[INFO]
[INFO] Apache Hadoop Annotations .......................... SUCCESS [  0.710 s]
[INFO] Apache Hadoop MiniKDC .............................. SUCCESS [  0.271 s]
[INFO] Apache Hadoop Auth ................................. SUCCESS [  0.769 s]
[INFO] Apache Hadoop Auth Examples ........................ SUCCESS [  0.094 s]
[INFO] Apache Hadoop Common ............................... SUCCESS [ 36.642 s]
[INFO] Apache Hadoop NFS .................................. SUCCESS [  7.181 s]
[INFO] Apache Hadoop KMS .................................. SUCCESS [  0.227 s]
[INFO] Apache Hadoop Registry ............................. SUCCESS [  0.439 s]
[INFO] Apache Hadoop Common Project ....................... SUCCESS [  0.018 s]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  46.854 s
[INFO] Finished at: 2024-10-16T16:54:14-04:00
[INFO] ------------------------------------------------------------------------

[steveloughran]

Use our LambdaTestUtils.intercept() here as it fails better, can validates the type and message

[jbrinegar]

The comment in #7081 (comment) applies here as well.

[steveloughran]

Please use our new DynMethods classes, (which we copied from parquet and which is also found in iceberg). It fails better and as it is so common it's good to get familiar with it

[jbrinegar]

@steveloughran my comment from here still applies. #7081 (comment)

[stoty]

I don't really like the name, maybe rename to JDKSpecificSubjectAdapter or similar ?

[cnauroth]

Thanks for this important patch, @jbrinegar ! I entered a few minor comments.

This is very nitpicky, but there is a comment in test code that still mentions AccessControlContext:

https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java#L856

Can you remove mention of that in the comment?

This is a great step, but there will still be references to the deprecated APIs in other parts of the Hadoop codebase. (See below.) Are you interested in addressing all of these, or do you prefer to focus on getting in a hadoop-common patch and then we can focus on other spots piecemeal?

> grep -r --include '*.java' 'AccessController' *
hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java:import java.security.AccessController;
hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java:      AccessControlContext context = AccessController.getContext();
hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/util/PlatformName.java:import java.security.AccessController;
hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/util/PlatformName.java:    return AccessController.doPrivileged((PrivilegedAction<Boolean>) () -> {
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/metrics2/impl/MetricsConfig.java:import static java.security.AccessController.*;
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/io/FastByteComparisons.java:import java.security.AccessController;
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/io/FastByteComparisons.java:        theUnsafe = (Unsafe) AccessController.doPrivileged(
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java:import java.security.AccessController;
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java:    AccessControlContext context = AccessController.getContext();
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/dynamic/DynMethods.java:import java.security.AccessController;
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/dynamic/DynMethods.java:        AccessController.doPrivileged(new MakeAccessible(hidden));
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/dynamic/DynConstructors.java:import java.security.AccessController;
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/dynamic/DynConstructors.java:        AccessController.doPrivileged(new MakeAccessible(hidden));
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/CleanerUtil.java:import java.security.AccessController;
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/CleanerUtil.java:    final Object hack = AccessController.doPrivileged(
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/CleanerUtil.java:      final Throwable error = AccessController.doPrivileged(
hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/checker/AbstractFuture.java:import java.security.AccessController;
hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/datanode/checker/AbstractFuture.java:              AccessController.doPrivileged(
hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-common/src/main/java/org/apache/hadoop/mapred/LocalDistributedCacheManager.java:import java.security.AccessController;
hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-common/src/main/java/org/apache/hadoop/mapred/LocalDistributedCacheManager.java:    return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>() {
hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-common/src/main/java/org/apache/hadoop/mapred/LocalDistributedCacheManager.java:      AccessController.doPrivileged(new PrivilegedAction<Void>() {
hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-common/src/main/java/org/apache/hadoop/mapreduce/v2/util/MRApps.java:import java.security.AccessController;
hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-common/src/main/java/org/apache/hadoop/mapreduce/v2/util/MRApps.java:      return AccessController.doPrivileged(
hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/pipes/Submitter.java:import java.security.AccessController;
hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapred/pipes/Submitter.java:          AccessController.doPrivileged(
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timeline-pluginstorage/src/main/java/org/apache/hadoop/yarn/server/timeline/EntityGroupFSTimelineStore.java:import java.security.AccessController;
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timeline-pluginstorage/src/main/java/org/apache/hadoop/yarn/server/timeline/EntityGroupFSTimelineStore.java:      return AccessController.doPrivileged(
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/AuxiliaryServiceWithCustomClassLoader.java:import java.security.AccessController;
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/AuxiliaryServiceWithCustomClassLoader.java:      return AccessController.doPrivileged(

[cnauroth]

Can you please add a package-info.java in this new sub-directory and annotate it as private and unstable?

Example: https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/concurrent/package-info.java

[cnauroth]

Can this be package-private instead of public?

[ryantomlinson95]

Thank you for working on this patch @jbrinegar! This will help eliminate a big blocker for us in trying to upgrade our stack to JDK 23.

[stoty]

@ryantomlinson95 @cnauroth @steveloughran @jbrinegar @jojochuang @pan3793

I'd like to bring to your attention HADOOP-19486, and the corresponding thread I have opened on dev@hadoop.apache.org , where I track my full JDK23 support work.

Please check my email, and join the discussion.

[steveloughran]

commented...I'd added the comments a while back but forgotten to submit the review. sorry

[steveloughran]

IMO testing trying to load the new classes and failing over to the old classes if they cannot be found would be more robust.

interesting thought.

how about

• we avoid Subject
• pull the string on L33 to a constant

[steveloughran]

@stoty interesting thought about attempting and fallbacks

We'd try the java18+ first & fall back to java <= 17 otherwise? or do it in the opposite direction, at least for now?

[stoty]

My alternate patch tries the new API first, and falls back to the old one, @steveloughran .
I have pinged you on that one, so that you can check it out, and maybe discuss it there.

Conversion either way has an overhead, as the Callable / PrivilegedExceptionAction conversion and exception re-wrapping has to happen, but IMO anything we do inside those doAs() blocks is heavyweight enough that the overhad is relatively negligible.