jerqi commented on code in PR #9569:
URL: https://github.com/apache/gravitino/pull/9569#discussion_r2659584566
##########
catalogs/hadoop-common/src/main/java/org/apache/gravitino/catalog/hadoop/fs/HDFSFileSystemProxy.java:
##########
@@ -46,67 +46,61 @@
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-/**
- * A FileSystem wrapper that runs all operations under a specific UGI
(UserGroupInformation).
- * Supports both simple and Kerberos authentication, with automatic ticket
renewal.
- */
+/** A FileSystem wrapper that runs all operations under a specific UGI
(UserGroupInformation). */
public class HDFSFileSystemProxy implements MethodInterceptor {
private static final Logger LOG =
LoggerFactory.getLogger(HDFSFileSystemProxy.class);
- private static final long DEFAULT_RENEW_INTERVAL_MS = 10 * 60 * 1000L;
+ public static final String GRAVITINO_KEYTAB_FORMAT = "keytabs/gravitino-%s";
private static final String SYSTEM_USER_NAME =
System.getProperty("user.name");
private static final String SYSTEM_ENV_HADOOP_USER_NAME = "HADOOP_USER_NAME";
+ private static final String GRAVITINO_ID_KEY = "gravitino.identifier";
- private final UserGroupInformation ugi;
+ private final UserGroupInformation loginUgi;
private final FileSystem fs;
private final Configuration configuration;
- private ScheduledExecutorService kerberosRenewExecutor;
+ private final boolean impersonationEnabled;
+ private String kerberosRealm;
/**
* Create a HDFSAuthenticationFileSystem with the given path and
configuration. Supports both
- * simple and Kerberos authentication, with automatic ticket renewal for
Kerberos.
+ * simple and Kerberos authentication.
*
* @param path the HDFS path
* @param conf the Hadoop configuration
+ * @param config the configuration map of Gravitino
*/
- public HDFSFileSystemProxy(Path path, Configuration conf) {
+ public HDFSFileSystemProxy(Path path, Configuration conf, Map<String,
String> config) {
try {
conf.setBoolean(FS_DISABLE_CACHE, true);
conf.setBoolean(IPC_FALLBACK_TO_SIMPLE_AUTH_ALLOWED, true);
this.configuration = conf;
- String authType = conf.get(HADOOP_SECURITY_AUTHENTICATION, AUTH_SIMPLE);
- if (AUTH_KERBEROS.equalsIgnoreCase(authType)) {
- String krb5Config = conf.get(HADOOP_KRB5_CONF);
-
- if (krb5Config != null) {
- System.setProperty(SECURITY_KRB5_ENV, krb5Config);
- }
- UserGroupInformation.setConfiguration(conf);
- String principal = conf.get(HADOOP_SECURITY_PRINCIPAL, null);
- String keytab = conf.get(HADOOP_SECURITY_KEYTAB, null);
-
- if (principal == null || keytab == null) {
- throw new GravitinoRuntimeException(
- "Kerberos principal and keytab must be provided for kerberos
authentication");
- }
+ AuthenticationConfig authenticationConfig = new
AuthenticationConfig(config, configuration);
+ this.impersonationEnabled =
authenticationConfig.isImpersonationEnabled();
- this.ugi =
UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keytab);
- startKerberosRenewalTask(principal);
+ String authType = authenticationConfig.getAuthType();
+ if (AUTH_KERBEROS.equalsIgnoreCase(authType)) {
+ this.configuration.set(
+ HADOOP_SECURITY_AUTHENTICATION,
+
UserGroupInformation.AuthenticationMethod.KERBEROS.name().toLowerCase(Locale.ROOT));
+ this.loginUgi = initKerberosUgi(config, configuration);
} else {
String userName = System.getenv(SYSTEM_ENV_HADOOP_USER_NAME);
if (StringUtils.isEmpty(userName)) {
userName = SYSTEM_USER_NAME;
}
- this.ugi = UserGroupInformation.createRemoteUser(userName);
+ this.loginUgi = UserGroupInformation.createRemoteUser(userName);
Review Comment:
If you want to reuse this part code in the GVFS, this is wrong. LoginUgi may
retrieve from the AccessContext.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
