This is an automated email from the ASF dual-hosted git repository. jshao pushed a commit to branch branch-gvfs-fuse-dev in repository https://gitbox.apache.org/repos/asf/gravitino.git
commit 8ab7798869c02245921b77332e26f1f22dfa195e Author: Justin Mclean <[email protected]> AuthorDate: Fri Dec 6 17:14:12 2024 +1100 [#5384] Support Kerberos authentication in the Gravitino CLI. (#5766) ### What changes were proposed in this pull request? Support Kerberos authentication. ### Why are the changes needed? To add support for Kerberos authentication. Fix: #5384 ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? Tested locally. --- .../apache/gravitino/cli/GravitinoCommandLine.java | 14 +++--- .../org/apache/gravitino/cli/GravitinoConfig.java | 37 +++++++++++---- .../org/apache/gravitino/cli/KerberosData.java | 54 ++++++++++++++++++++++ .../org/apache/gravitino/cli/commands/Command.java | 14 ++++++ docs/cli.md | 9 ++++ 5 files changed, 113 insertions(+), 15 deletions(-) diff --git a/clients/cli/src/main/java/org/apache/gravitino/cli/GravitinoCommandLine.java b/clients/cli/src/main/java/org/apache/gravitino/cli/GravitinoCommandLine.java index bfdd49507..bb573fcb3 100644 --- a/clients/cli/src/main/java/org/apache/gravitino/cli/GravitinoCommandLine.java +++ b/clients/cli/src/main/java/org/apache/gravitino/cli/GravitinoCommandLine.java @@ -781,7 +781,7 @@ public class GravitinoCommandLine extends TestableCommandLine { return urlEnv; } - // Check if the metalake name is specified in the configuration file + // Check if the Gravitino URL is specified in the configuration file if (config.fileExists()) { config.read(); String configURL = config.getGravitinoURL(); @@ -806,24 +806,24 @@ public class GravitinoCommandLine extends TestableCommandLine { return GravitinoOptions.SIMPLE; } - // Cache the Gravitino URL environment variable + // Cache the Gravitino authentication type environment variable if (authEnv == null && !authSet) { authEnv = System.getenv("GRAVITINO_AUTH"); authSet = true; } - // If set return the Gravitino URL environment variable + // If set return the Gravitino authentication type environment variable if (authEnv != null) { return authEnv; } - // Check if the metalake name is specified in the configuration file + // Check if the authentication type is specified in the configuration file GravitinoConfig config = new GravitinoConfig(null); if (config.fileExists()) { config.read(); - String configAuth = config.getGravitinoAuth(); - if (configAuth != null) { - return configAuth; + String configAuthType = config.getGravitinoAuthType(); + if (configAuthType != null) { + return configAuthType; } } diff --git a/clients/cli/src/main/java/org/apache/gravitino/cli/GravitinoConfig.java b/clients/cli/src/main/java/org/apache/gravitino/cli/GravitinoConfig.java index 148bfaeb6..bb9aa5312 100644 --- a/clients/cli/src/main/java/org/apache/gravitino/cli/GravitinoConfig.java +++ b/clients/cli/src/main/java/org/apache/gravitino/cli/GravitinoConfig.java @@ -36,8 +36,9 @@ public class GravitinoConfig { private String metalake; private String url; private boolean ignore; - private String authentication; + private String authType; private OAuthData oauth; + private KerberosData kerberos; /** * Creates a GravitinoConfig object with a specified config file. If no file is provided, it @@ -93,7 +94,18 @@ public class GravitinoConfig { ignore = prop.getProperty(ignoreKey).equals("true"); } if (prop.containsKey(authKey)) { - authentication = prop.getProperty(authKey); + authType = prop.getProperty(authKey); + } + + if (authKey.equals("oauth")) { + oauth = + new OAuthData( + prop.getProperty("serverURI"), + prop.getProperty("credential"), + prop.getProperty("token"), + prop.getProperty("scope")); + } else if (authKey.equals("kerberos")) { + kerberos = new KerberosData(prop.getProperty("principal"), prop.getProperty("keytabFile")); } if (authKey.equals("oauth")) { @@ -143,20 +155,29 @@ public class GravitinoConfig { } /** - * Retrieves the Gravitino authentication stored in the configuration. + * Retrieves the Gravitino authentication type stored in the configuration. * - * @return The Gravitino authentication or null if not set. + * @return The Gravitino authentication type or null if not set. */ - public String getGravitinoAuth() { - return authentication; + public String getGravitinoAuthType() { + return authType; } /** - * Retrieves the Gravitino oAuth authentication configuration. + * Retrieves the Gravitino OAuth configuration. * - * @return The Gravitino authentication or null if not set. + * @return The Gravitino OAuth data or null if not set. */ public OAuthData getOAuth() { return oauth; } + + /** + * Retrieves the Gravitino kerberos configuration. + * + * @return The Gravitino Kerberos data or null if not set. + */ + public KerberosData getKerberos() { + return kerberos; + } } diff --git a/clients/cli/src/main/java/org/apache/gravitino/cli/KerberosData.java b/clients/cli/src/main/java/org/apache/gravitino/cli/KerberosData.java new file mode 100644 index 000000000..447fdf942 --- /dev/null +++ b/clients/cli/src/main/java/org/apache/gravitino/cli/KerberosData.java @@ -0,0 +1,54 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.gravitino.cli; + +public class KerberosData { + protected final String principal; + protected final String keytabFile; + + /** + * Constructs an {@code KerberosData} instance with the specified principal and keytab file. + * + * @param principal the Kerberos principal (e.g. a user or service identity) + * @param keytabFile the path to the keytab file + */ + public KerberosData(String principal, String keytabFile) { + this.principal = principal; + this.keytabFile = keytabFile; + } + + /** + * Returns the Kerberos principal associated with this {@code KerberosData}. + * + * @return the principal + */ + public String getPrincipal() { + return principal; + } + + /** + * Returns the keytab file path associated with this {@code KerberosData}. + * + * @return the keytab file path + */ + public String getKeytabFile() { + return keytabFile; + } +} diff --git a/clients/cli/src/main/java/org/apache/gravitino/cli/commands/Command.java b/clients/cli/src/main/java/org/apache/gravitino/cli/commands/Command.java index 66143ceb4..59b1b9024 100644 --- a/clients/cli/src/main/java/org/apache/gravitino/cli/commands/Command.java +++ b/clients/cli/src/main/java/org/apache/gravitino/cli/commands/Command.java @@ -21,7 +21,9 @@ package org.apache.gravitino.cli.commands; import static org.apache.gravitino.client.GravitinoClientBase.Builder; +import java.io.File; import org.apache.gravitino.cli.GravitinoConfig; +import org.apache.gravitino.cli.KerberosData; import org.apache.gravitino.cli.OAuthData; import org.apache.gravitino.cli.outputs.PlainFormat; import org.apache.gravitino.cli.outputs.TableFormat; @@ -29,6 +31,7 @@ import org.apache.gravitino.client.DefaultOAuth2TokenProvider; import org.apache.gravitino.client.GravitinoAdminClient; import org.apache.gravitino.client.GravitinoClient; import org.apache.gravitino.client.GravitinoClientBase; +import org.apache.gravitino.client.KerberosTokenProvider; import org.apache.gravitino.exceptions.NoSuchMetalakeException; /* The base for all commands. */ @@ -41,6 +44,7 @@ public abstract class Command { private static final String SIMPLE_AUTH = "simple"; private static final String OAUTH_AUTH = "oauth"; + private static final String KERBEROS_AUTH = "kerberos"; private final String url; private final boolean ignoreVersions; @@ -139,6 +143,16 @@ public abstract class Command { .build(); builder = builder.withOAuth(tokenProvider); + } else if (authentication.equals(KERBEROS_AUTH)) { + GravitinoConfig config = new GravitinoConfig(null); + KerberosData kerberos = config.getKerberos(); + KerberosTokenProvider tokenProvider = + KerberosTokenProvider.builder() + .withClientPrincipal(kerberos.getPrincipal()) + .withKeyTabFile(new File(kerberos.getKeytabFile())) + .build(); + + builder = builder.withKerberosAuth(tokenProvider); } else { System.err.println("Unsupported authentication type " + authentication); } diff --git a/docs/cli.md b/docs/cli.md index 6c273953e..5324d9f01 100644 --- a/docs/cli.md +++ b/docs/cli.md @@ -141,6 +141,15 @@ token=test scope=token/test ``` +Kerberos authentication can also be configured via the configuration file. + +```text +# Authentication +auth=kerberos +principal=user/[email protected] +keytabFile=file.keytab +``` + ### Potentially unsafe operations For operations that delete data or rename a metalake the user with be prompted to make sure they wish to run this command. The `--force` option can be specified to override this behaviour.
