This is an automated email from the ASF dual-hosted git repository.
abukor pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kudu.git
The following commit(s) were added to refs/heads/master by this push:
new 72ab7ea [java] Add JAAS example to client API doc
72ab7ea is described below
commit 72ab7ea3bbcb39383607a9de91ea80eb86cd3507
Author: Attila Bukor <[email protected]>
AuthorDate: Mon Jan 11 20:27:11 2021 +0100
[java] Add JAAS example to client API doc
The AsyncKuduClient class documents how to connect to a secure Kudu
cluster using ticket cache or using a keytab when the application is
using hadoop-common libraries. We can't always rely on
UserGroupInformation though, so this commit expands the keytab-based
login case by a JAAS config example.
It also fixes a formatting issue with the "@Override" in the code, as it
wasn't properly rendered.
Change-Id: I7db5bf67727f7318272de7ea2156a33255a2dc8b
Reviewed-on: http://gerrit.cloudera.org:8080/16940
Tested-by: Attila Bukor <[email protected]>
Reviewed-by: Andrew Wong <[email protected]>
---
.../org/apache/kudu/client/AsyncKuduClient.java | 42 ++++++++++++++++++----
1 file changed, 36 insertions(+), 6 deletions(-)
diff --git
a/java/kudu-client/src/main/java/org/apache/kudu/client/AsyncKuduClient.java
b/java/kudu-client/src/main/java/org/apache/kudu/client/AsyncKuduClient.java
index 13162a1..f3a437d 100644
--- a/java/kudu-client/src/main/java/org/apache/kudu/client/AsyncKuduClient.java
+++ b/java/kudu-client/src/main/java/org/apache/kudu/client/AsyncKuduClient.java
@@ -177,10 +177,39 @@ import org.apache.kudu.util.Pair;
* credentials stored in the same Subject instance as was provided when the
* client was instantiated.
* <p>
- * In the context of the Hadoop ecosystem, the {@code UserGroupInformation}
- * class provides utility methods to login from a keytab and then run code as
- * the resulting {@link javax.security.auth.Subject}: <pre>{@code
- * UserGroupInformation.loginUserFromKeytab("my-app", "/path/to/app.keytab");
+ * The easiest way to authenticate using a keytab is by creating a JAAS config
+ * file such as this: <pre>
+ * ExampleLoginContextName {
+ * com.sun.security.auth.module.Krb5LoginModule required
+ * useKeyTab = true
+ * keyTab = "/path/to/app.keytab"
+ * principal = "appuser";
+ * };
+ * </pre>
+ * This can then be passed to the application by adding {@code
+ * -Djava.security.auth.login.config=/path/to/jaas.conf} to the command when
+ * starting it.
+ * This authentication method needs to be set in the code as well by wrapping
+ * the code interacting with Kudu with a {@link
+ * javax.security.auth.Subject#doAs} after creating a login context using the
+ * JAAS config, logging in, and passing the {@link javax.security.auth.Subject}
+ * to the <i>doAs</i>:
+ * <pre>
+ * LoginContext login = new LoginContext("ExampleLoginContextName");
+ * login.login();
+ * KuduClient c = Subject.doAs(login.getSubject(),
+ * (PrivilegedAction<KuduClient>) () -> {
+ * return myClientBuilder.build();
+ * });
+ * </pre>
+ * In this case it's necessary to periodically re-login as needed and run doAs
+ * using the new subject.
+ * <p>
+ * In the context of the Hadoop ecosystem, the {@code
+ * org.apache.hadoop.security.UserGroupInformation} class provides utility
+ * methods to login from a keytab and then run code as the resulting {@link
+ * javax.security.auth.Subject}: <pre>
+ * UserGroupInformation.loginUserFromKeytab("appuser",
"/path/to/app.keytab");
* KuduClient c = UserGroupInformation.getLoginUser().doAs(
* new PrivilegedExceptionAction<KuduClient>() {
* @Override
@@ -189,8 +218,9 @@ import org.apache.kudu.util.Pair;
* }
* }
* );
- * }</pre> The {@code UserGroupInformation} class will also automatically
- * start a thread to periodically re-login from the keytab.
+ * </pre> The {@code UserGroupInformation} class will also automatically
+ * start a thread to periodically re-login from the keytab. It's not necessary
+ * to pass a JAAS config.
*
* <h3>Debugging Kudu's usage of Kerberos credentials</h3>
*
