jerqi commented on code in PR #9565:
URL: https://github.com/apache/gravitino/pull/9565#discussion_r2652133311
##########
clients/client-java/src/main/java/org/apache/gravitino/client/KerberosTokenProvider.java:
##########
@@ -155,6 +135,67 @@ void setHost(String host) {
this.host = host;
}
+ private interface SubjectProvider {
+ Subject get() throws LoginException;
+
+ void close() throws LoginException;
+ }
+
+ private static final class ExistingSubjectProvider implements
SubjectProvider {
+ private final Subject subject;
+
+ ExistingSubjectProvider(Subject subject) {
+ this.subject = subject;
+ }
+
+ @Override
+ public Subject get() {
+ return subject;
+ }
+
+ @Override
+ public void close() {
+ // no-op
+ }
+ }
+
+ private static final class LoginSubjectProvider implements SubjectProvider {
+ private final String principal;
+ private final String keytabFile;
+ private LoginContext loginContext;
+
+ LoginSubjectProvider(String principal, String keytabFile) {
+ this.principal = principal;
+ this.keytabFile = keytabFile;
+ }
+
+ @Override
+ public synchronized Subject get() throws LoginException {
+ if (loginContext == null) {
+ loginContext = KerberosUtils.login(principal, keytabFile);
+ } else if (keytabFile != null && isLoginTicketExpired(loginContext)) {
+ loginContext.logout();
+ loginContext = KerberosUtils.login(principal, keytabFile);
+ }
+ return loginContext.getSubject();
+ }
+
+ @Override
+ public void close() throws LoginException {
+ if (loginContext != null) {
+ loginContext.logout();
+ }
+ }
+
+ private boolean isLoginTicketExpired(LoginContext ctx) {
+ Set<KerberosTicket> tickets =
ctx.getSubject().getPrivateCredentials(KerberosTicket.class);
+ if (tickets.isEmpty()) {
+ return false;
+ }
+ return
tickets.iterator().next().getEndTime().toInstant().isBefore(Instant.now());
Review Comment:
Done.
##########
clients/client-java/src/main/java/org/apache/gravitino/client/KerberosTokenProvider.java:
##########
@@ -196,10 +237,20 @@ public Builder withKeyTabFile(File file) {
*
* @return The built KerberosTokenProvider instance.
*/
- @SuppressWarnings("null")
+ @SuppressWarnings("removal")
public KerberosTokenProvider build() {
KerberosTokenProvider provider = new KerberosTokenProvider();
+ java.security.AccessControlContext context =
java.security.AccessController.getContext();
+ Subject subject = Subject.getSubject(context);
+ if (subject != null
+ && (!subject.getPrivateCredentials(KerberosKey.class).isEmpty()
+ ||
!subject.getPrivateCredentials(KerberosTicket.class).isEmpty())) {
+ provider.subjectProvider = new ExistingSubjectProvider(subject);
+ provider.clientPrincipal = extractPrincipalFromSubject(subject);
Review Comment:
Done.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
