[
https://issues.apache.org/jira/browse/HBASE-20886?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16554397#comment-16554397
]
Josh Elser commented on HBASE-20886:
------------------------------------
{quote}It seems like there's minimal risk of surprising folks about credentials
in the JVM since folks have to opt-in by setting configuration values to point
at a keytab / principal.
{quote}
That's a good point. I hadn't looked closely enough at the patch. I think
documenting these configuration keys sufficiently would be safe enough.
{code:java}
+ if (user.getUGI().hasKerberosCredentials()) {
+ // There's already user, just return.
+ return user;{code}
This worries me a little bit :). Could you expand this check to include the
principal of the current user with krb credentials against the specified
principal in the configuration? That would help me sleep better at night.
One open thought: how does this play with MapReduce code where we are
connecting to HBase via delegation-tokens instead of real Kerberos credentials?
One final (perhaps meandering) thought: can we make an API which would insulate
us from multiple credentials-like issues? Let me pseudo-code ... (I have no
idea if UGI renewal actually works in this context, or if this is defacto
"good", just thinking out-loud).
{code:java}
public <T> T callWithCredentials(Configuration conf, Callable<T>
clientOperation) throws Exception {
UserGroupInformation ugi =
UGI.loginUserAndReturnUGI(conf.get(client_principal), conf.get(client_keytab));
ugi.doAs(new PrivilegedExceptionAction<T>() {
T call() throws Exception {
Chore c = AuthUtil.spawnRenewalChore();
try (Connection conn = ConnectionFactory.getConnection(conf)) {
clientOperation.call(conn);
} finally {
c.stop();
}
}
});
}{code}
> [Auth] Support keytab login in hbase client
> -------------------------------------------
>
> Key: HBASE-20886
> URL: https://issues.apache.org/jira/browse/HBASE-20886
> Project: HBase
> Issue Type: Improvement
> Components: asyncclient, Client, security
> Reporter: Reid Chan
> Assignee: Reid Chan
> Priority: Critical
> Attachments: HBASE-20886.master.001.patch,
> HBASE-20886.master.002.patch, HBASE-20886.master.003.patch,
> HBASE-20886.master.004.patch
>
>
> There're lots of questions about how to connect to kerberized hbase cluster
> through hbase-client api from user-mail and slack channel.
> {{hbase.client.keytab.file}} and {{hbase.client.keytab.principal}} are
> already existed in code base, but they are only used in {{Canary}}.
> This issue is to make use of two configs to support client-side keytab based
> login, after this issue resolved, hbase-client should directly connect to
> kerberized cluster without changing any code as long as
> {{hbase.client.keytab.file}} and {{hbase.client.keytab.principal}} are
> specified.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
