[jira] [Commented] (PHOENIX-4749) Support impersonation without SPNEGO authn via PQS with Kerberized HBase

Fri, 25 May 2018 08:43:16 -0700 

    [ 
https://issues.apache.org/jira/browse/PHOENIX-4749?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16490888#comment-16490888
 ] 

Josh Elser commented on PHOENIX-4749:
-------------------------------------

[~alexaraujo], how are you going to determine what the username is for 
impersonation by PQS if not using SPNEGO? The default RemoteUserExtractor 
implementation provided in the same class which pulls from an HTTP parameter? 
This is more of a documentation issue we'll need to get better at.

In {{configureClientAuthentication}}, I'd suggest you put all of keytab and 
principal information into the {{if (!disableSpnego)}} block as it's not used 
otherwise. e.g. all of the following:
{code}
    String keytabPath = 
getConf().get(QueryServices.QUERY_SERVER_KEYTAB_FILENAME_ATTRIB);
    File keytab = new File(keytabPath);
    String httpKeytabPath = 
getConf().get(QueryServices.QUERY_SERVER_HTTP_KEYTAB_FILENAME_ATTRIB, null);
    String httpPrincipal = 
getConf().get(QueryServices.QUERY_SERVER_KERBEROS_HTTP_PRINCIPAL_ATTRIB, null);
    // Backwards compat for a configuration key change
    if (httpPrincipal == null) {
      httpPrincipal = 
getConf().get(QueryServices.QUERY_SERVER_KERBEROS_HTTP_PRINCIPAL_ATTRIB_LEGACY, 
null);
    }
    File httpKeytab = null;
    if (null != httpKeytabPath)
      httpKeytab = new File(httpKeytabPath);

    String realmsString = 
getConf().get(QueryServices.QUERY_SERVER_KERBEROS_ALLOWED_REALMS, null);
    String[] additionalAllowedRealms = null;
    if (null != realmsString) {
      additionalAllowedRealms = StringUtils.split(realmsString, ',');
    }
{code}

And in the new test class, can you make sure both test methods validate that 
{{builder.withImpersonation(..)}} is called, please?

Otherwise seems OK if tests are passing.


> Support impersonation without SPNEGO authn via PQS with Kerberized HBase
> ------------------------------------------------------------------------
>
>                 Key: PHOENIX-4749
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-4749
>             Project: Phoenix
>          Issue Type: Improvement
>            Reporter: Alex Araujo
>            Assignee: Alex Araujo
>            Priority: Major
>             Fix For: 4.14.0, 5.0.0
>
>         Attachments: PHOENIX-4749.patch
>
>
> Phoenix Query Server only supports SPNEGO auth (Kerberos) with impersonation.
> Allow other authentication methods to be used with impersonation.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to