HADOOP-19744. Reduce WARN log messages in SubjectUtil.checkThreadInheritsSubject

stoty · stoty · commit 8944d13edc00 · 2025-11-18T08:46:27.000+01:00
diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/SubjectUtil.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/SubjectUtil.java
@@ -90,20 +90,17 @@ private static MethodHandle lookupCallAs() {
    */
   private static boolean checkThreadInheritsSubject() {
 
-    boolean securityManagerEnabled = true;
-    try {
-      // TODO this needs SecurityManager to compile, use reflection to look it up instead
-      SecurityManager sm = System.getSecurityManager();
-      System.setSecurityManager(sm);
-    } catch (UnsupportedOperationException e) {
-      // JDK24+ unconditionally throws this, so we don't need to check for JDK24+
-      // explicitly
-      securityManagerEnabled = false;
-    } catch (Throwable t) {
-      // don't care
+    if (JAVA_SPEC_VER <= 21) {
+      return true;
+    } else {
+      // 24+ never inherits the Subject.
+      // For 22 and 23 the behavior actually depends on whether the SecurityManager
+      // is enabled, but this check is only used to enable a minor performance
+      // optimization of bypassing a doAs/callAs call in SubjectInheritingThread.
+      // We accept that possible minor performance cost to avoid extra complexity
+      // and prevent the HVM from logging SecurityManager warnings to console.
+      return false;
     }
-
-    return JAVA_SPEC_VER < 22 || securityManagerEnabled;
   }
 
   /**
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/concurrent/TestSubjectPropagation.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/util/concurrent/TestSubjectPropagation.java
@@ -147,9 +147,12 @@ public void run() {
     });
 
     if (SubjectUtil.THREAD_INHERITS_SUBJECT) {
+
       assertEquals(parentSubject, childSubject);
     } else {
       // This is the behaviour that breaks Hadoop authorization
+      // This would break for Java 22-23 if the SecurityManager would be enabled,
+      // but we don't run tests with the SecurityManager enabled.
       assertNull(childSubject);
     }
   }
@@ -179,6 +182,8 @@ public void run() {
       assertEquals(parentSubject, childSubject);
     } else {
       // This is the behaviour that breaks Hadoop authorization
+      // This would break for Java 22-23 if the SecurityManager would be enabled,
+      // but we don't run tests with the SecurityManager enabled.
       assertNull(childSubject);
     }
   }

Original file line number	Diff line number	Diff line change
`@@ -147,9 +147,12 @@ public void run() {`
`147`	`147`	`});`
`148`	`148`
`149`	`149`	`if (SubjectUtil.THREAD_INHERITS_SUBJECT) {`
	`150`	`+`
`150`	`151`	`assertEquals(parentSubject, childSubject);`
`151`	`152`	`} else {`
`152`	`153`	`// This is the behaviour that breaks Hadoop authorization`
	`154`	`+ // This would break for Java 22-23 if the SecurityManager would be enabled,`
	`155`	`+ // but we don't run tests with the SecurityManager enabled.`
`153`	`156`	`assertNull(childSubject);`
`154`	`157`	`}`
`155`	`158`	`}`
`@@ -179,6 +182,8 @@ public void run() {`
`179`	`182`	`assertEquals(parentSubject, childSubject);`
`180`	`183`	`} else {`
`181`	`184`	`// This is the behaviour that breaks Hadoop authorization`
	`185`	`+ // This would break for Java 22-23 if the SecurityManager would be enabled,`
	`186`	`+ // but we don't run tests with the SecurityManager enabled.`
`182`	`187`	`assertNull(childSubject);`
`183`	`188`	`}`
`184`	`189`	`}`