joshelser commented on a change in pull request #884: HBASE-23347 Allowable
custom authentication methods for RPCs
URL: https://github.com/apache/hbase/pull/884#discussion_r353916365
##########
File path:
hbase-client/src/main/java/org/apache/hadoop/hbase/security/AbstractHBaseSaslRpcClient.java
##########
@@ -79,53 +71,18 @@ protected AbstractHBaseSaslRpcClient(AuthMethod method,
Token<? extends TokenIde
* @param rpcProtection the protection level ("authentication", "integrity"
or "privacy")
* @throws IOException
*/
- protected AbstractHBaseSaslRpcClient(AuthMethod method, Token<? extends
TokenIdentifier> token,
+ protected AbstractHBaseSaslRpcClient(Configuration conf,
+ SaslClientAuthenticationProvider provider, Token<? extends
TokenIdentifier> token,
String serverPrincipal, boolean fallbackAllowed, String rpcProtection)
throws IOException {
this.fallbackAllowed = fallbackAllowed;
saslProps = SaslUtil.initSaslProperties(rpcProtection);
- switch (method) {
- case DIGEST:
- if (LOG.isDebugEnabled()) LOG.debug("Creating SASL " +
AuthMethod.DIGEST.getMechanismName()
- + " client to authenticate to service at " + token.getService());
- saslClient = createDigestSaslClient(new String[] {
AuthMethod.DIGEST.getMechanismName() },
- SaslUtil.SASL_DEFAULT_REALM, new SaslClientCallbackHandler(token));
- break;
- case KERBEROS:
- if (LOG.isDebugEnabled()) {
- LOG.debug("Creating SASL " + AuthMethod.KERBEROS.getMechanismName()
- + " client. Server's Kerberos principal name is " +
serverPrincipal);
- }
- if (serverPrincipal == null || serverPrincipal.length() == 0) {
- throw new IOException("Failed to specify server's Kerberos principal
name");
- }
- String[] names = SaslUtil.splitKerberosName(serverPrincipal);
- if (names.length != 3) {
- throw new IOException(
- "Kerberos principal does not have the expected format: " +
serverPrincipal);
- }
- saslClient = createKerberosSaslClient(
- new String[] { AuthMethod.KERBEROS.getMechanismName() }, names[0],
names[1]);
- break;
- default:
- throw new IOException("Unknown authentication method " + method);
- }
+
+ saslClient = provider.createClient(conf, serverPrincipal, token,
fallbackAllowed, saslProps);
Review comment:
I agree with your line of thinking, but struggle to suggest a better way to
do it. Right now, the client authentication provider will be used to create a
new SaslClient every time we try to RPC to a remote service. That might be the
Master, RS, Thrift server (or anything else in SecurityInfo).
We could push the `SecurityInfo` from RpcConnection down into the
AuthenticationProvider -- maybe that's cleaner than the Kerberos principal
itself? If we have the SecurityInfo, we could re-compute the kerberos name just
inside the authnprovider where we need it to create teh SaslClient.
Let me try.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
