Re: [PR] [#3896] feat(catalog-lakehouse-paimon): Support kerberos auth for Paimon FilesystemCatalog [gravitino]

Tue, 09 Jul 2024 06:29:44 -0700 


yuqi1129 commented on code in PR #4075:
URL: https://github.com/apache/gravitino/pull/4075#discussion_r1670535247


##########
catalogs/catalog-lakehouse-paimon/src/main/java/com/datastrato/gravitino/catalog/lakehouse/paimon/utils/CatalogUtils.java:
##########
@@ -46,17 +56,55 @@ public static Catalog loadCatalogBackend(PaimonConfig 
paimonConfig) {
     String metastore = paimonConfig.get(CATALOG_BACKEND);
     Preconditions.checkArgument(
         StringUtils.isNotBlank(metastore), "Paimon Catalog metastore can not 
be null or empty.");
+
     String warehouse = paimonConfig.get(CATALOG_WAREHOUSE);
     Preconditions.checkArgument(
         StringUtils.isNotBlank(warehouse), "Paimon Catalog warehouse can not 
be null or empty.");
+
     if (!PaimonCatalogBackend.FILESYSTEM.name().equalsIgnoreCase(metastore)) {
       String uri = paimonConfig.get(CATALOG_URI);
       Preconditions.checkArgument(
-          StringUtils.isNotBlank(uri),
-          String.format("Paimon Catalog uri can not be null or empty for %s.", 
metastore));
+          StringUtils.isNotBlank(uri), "Paimon Catalog uri can not be null or 
empty.");
     }
+
+    Map<String, String> allConfig = paimonConfig.getAllConfig();
+    Configuration configuration = new Configuration();
+    allConfig.forEach(configuration::set);
+
     CatalogContext catalogContext =
-        CatalogContext.create(Options.fromMap(paimonConfig.getAllConfig()));
-    return CatalogFactory.createCatalog(catalogContext);
+        CatalogContext.create(Options.fromMap(paimonConfig.getAllConfig()), 
configuration);
+
+    AuthenticationConfig authenticationConfig = new 
AuthenticationConfig(allConfig);
+    if (authenticationConfig.isSimpleAuth()) {
+      return CatalogFactory.createCatalog(catalogContext);
+    } else if (authenticationConfig.isKerberosAuth()) {
+      configuration.set(HADOOP_SECURITY_AUTHORIZATION, "true");
+      configuration.set(HADOOP_SECURITY_AUTHENTICATION, "kerberos");
+
+      switch 
(PaimonCatalogBackend.valueOf(metastore.toUpperCase(Locale.ROOT))) {
+        case FILESYSTEM:
+          initKerberosAndReturnRealm(allConfig, configuration);

Review Comment:
   > could the implement grant the correctness of the user in multi user 
environment? If yes, how?
   
   There are no multiple users for a catalog as it's passed from the catalog 
creation process. What you mean multiple users may refer to users who were 
previously passed from the SDK API. 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to