[KYUUBI #7549] Fix Subject.getSubject() in Kyuubi JDBC driver for JDK 25 compatibility#7550
Open
turboFei wants to merge 10 commits into
Open
[KYUUBI #7549] Fix Subject.getSubject() in Kyuubi JDBC driver for JDK 25 compatibility#7550turboFei wants to merge 10 commits into
turboFei wants to merge 10 commits into
Conversation
Member
Author
|
Works locally |
pan3793
reviewed
Jul 9, 2026
pan3793
reviewed
Jul 9, 2026
pan3793
reviewed
Jul 9, 2026
Member
|
lgtm, verified the port is correct. just leave some comments. |
cxzl25
approved these changes
Jul 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why are the changes needed?
JDK 24 permanently disabled the Security Manager (JEP 486), making
AccessController.getContext()throwUnsupportedOperationException. JDK 25 extended this toSubject.getSubject(). These APIs are called in the Kyuubi JDBC driver during Kerberos authentication, causing connections to fail:Additionally,
Subject.doAs()is deprecated for removal (JEP 411) and will break in a future JDK release.Fixes #7549.
What changed
Added
SubjectUtiltokyuubi-hive-jdbc, ported from Apache Hadoop (HADOOP-19212, HADOOP-19906). It bridges the deprecated/removed Security Manager APIs to their JDK 18+ replacements usingMethodHandlelookups resolved once at class load time:Subject.getSubject(AccessController.getContext())→Subject.current()(JDK 18+)Subject.doAs()→Subject.callAs()(JDK 18+)InheritableThreadLocal<Subject>to restore pre-JDK 22 Subject propagation into newly constructed threads (HADOOP-19906)Updated all affected callsites in the JDBC driver:
KyuubiConnection.javaSubject.getSubject()× 2 →SubjectUtil.current()HttpAuthUtils.javaSubject.doAs()→SubjectUtil.doAs()TSubjectTransport.javaSubject.doAs()→SubjectUtil.doAs()How was this patch tested?
Ported
TestSubjectUtilfrom Apache Hadoop, covering exception propagation semantics ofcallAs(),doAs(PrivilegedAction),doAs(PrivilegedExceptionAction), andsneakyThrow()across JDK versions. Fullkyuubi-hive-jdbcunit suite (43 tests) passes.Was this patch authored or co-authored using generative AI tooling?
Assisted-by: Claude:claude-sonnet-4-6