joshelser commented on a change in pull request #884: HBASE-23347 Allowable
custom authentication methods for RPCs
URL: https://github.com/apache/hbase/pull/884#discussion_r366105868
##########
File path:
hbase-client/src/main/java/org/apache/hadoop/hbase/ipc/RpcConnection.java
##########
@@ -81,115 +81,53 @@
// the last time we were picked up from connection pool.
protected long lastTouched;
+ protected SaslClientAuthenticationProvider provider;
+
protected RpcConnection(Configuration conf, HashedWheelTimer timeoutTimer,
ConnectionId remoteId,
String clusterId, boolean isSecurityEnabled, Codec codec,
CompressionCodec compressor)
throws IOException {
if (remoteId.getAddress().isUnresolved()) {
throw new UnknownHostException("unknown host: " +
remoteId.getAddress().getHostName());
}
+ this.serverAddress = remoteId.getAddress().getAddress();
this.timeoutTimer = timeoutTimer;
this.codec = codec;
this.compressor = compressor;
this.conf = conf;
UserGroupInformation ticket = remoteId.getTicket().getUGI();
- SecurityInfo securityInfo =
SecurityInfo.getInfo(remoteId.getServiceName());
+ this.securityInfo = SecurityInfo.getInfo(remoteId.getServiceName());
this.useSasl = isSecurityEnabled;
- Token<? extends TokenIdentifier> token = null;
- String serverPrincipal = null;
+
+ // Choose the correct Token and AuthenticationProvider for this client to
use
+ SaslClientAuthenticationProviders providers =
+ SaslClientAuthenticationProviders.getInstance(conf);
+ Pair<SaslClientAuthenticationProvider, Token<? extends TokenIdentifier>>
pair;
if (useSasl && securityInfo != null) {
- AuthenticationProtos.TokenIdentifier.Kind tokenKind =
securityInfo.getTokenKind();
- if (tokenKind != null) {
- TokenSelector<? extends TokenIdentifier> tokenSelector =
AbstractRpcClient.TOKEN_HANDLERS
- .get(tokenKind);
- if (tokenSelector != null) {
- token = tokenSelector.selectToken(new Text(clusterId),
ticket.getTokens());
- } else if (LOG.isDebugEnabled()) {
- LOG.debug("No token selector found for type " + tokenKind);
+ pair = providers.selectProvider(new Text(clusterId), ticket);
+ if (pair == null) {
+ if (LOG.isTraceEnabled()) {
+ LOG.trace("Found no valid authentication method from providers={}
with tokens={}",
+ providers.toString(), ticket.getTokens());
}
+ throw new RuntimeException("Found no valid authentication method from
options");
}
- String serverKey = securityInfo.getServerPrincipal();
- if (serverKey == null) {
- throw new IOException("Can't obtain server Kerberos config key from
SecurityInfo");
- }
- serverPrincipal = SecurityUtil.getServerPrincipal(conf.get(serverKey),
- remoteId.address.getAddress().getCanonicalHostName().toLowerCase());
- if (LOG.isDebugEnabled()) {
- LOG.debug("RPC Server Kerberos principal name for service=" +
remoteId.getServiceName()
- + " is " + serverPrincipal);
- }
- }
- this.token = token;
- this.serverPrincipal = serverPrincipal;
- if (!useSasl) {
- authMethod = AuthMethod.SIMPLE;
- } else if (token != null) {
- authMethod = AuthMethod.DIGEST;
+ } else if (!useSasl) {
+ // Hack, while SIMPLE doesn't go via SASL.
+ pair = providers.getSimpleProvider();
Review comment:
Somewhere I had mused about this (I can't remember where anymore, so no
shade-throwing)
I would like to move our "SIMPLE" authentication to using the SASL PLAIN
mechanism (username passed along with an empty password). This would make ALL
of our RPC code use SASL with would get rid of a lot of these gross if/else
blocks. I do, however, expect some performance impact to come from this. I
didn't want to bite off both in this one change.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
