[jira] [Commented] (PHOENIX-5006) jdbc connection to secure cluster should be able to use Kerberos ticket of user

Thu, 08 Nov 2018 13:20:12 -0800 


    [ 
https://issues.apache.org/jira/browse/PHOENIX-5006?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16679081#comment-16679081
 ] 

Josh Elser commented on PHOENIX-5006:
-------------------------------------

bq. a cluster is determined to be secure if the jdbc string includes Principal 
/ Keytab and it does a UGI login

Is it? I would have said that hadoop.security.authentication and 
hbase.security.authentication would ultimately be the "hooks" to control this.

bq. try to use the logged in user's Kerberos ticket to create the connection.

I would have thought that if hbase-site.xml is on the classpath correctly, and 
the user has a valid Kerberos ticket in the expected ticket cache location, we 
would automatically pick this up today. If this doesn't happen today, I think 
that's something "simple" we can look at.

bq. If one creates a site.xml with this property alone and include it in the 
classpath of the code making the jdbc connection to Phoenix, the connection is 
successful which satisfies this requirement in a indirect way. But would be 
good to accept this property setting through the props to the connection so 
that no site.xml need to be maintained by the user.

Requiring a certain hbase-site.xml (or core-site.xml) to be on the classpath 
for JDBC is a smell, larger than just for Kerberos authentication purposes. I 
think improvement #2 could be that we accept a variety of configuration 
properties off of the JDBC URL. With Java code today, you can do this via the 
Java Properties object you pass to DriverManager to construct the 
Driver/Connection object, but there's not a good way using other JDBC tools 
(e.g. sqlline, bi-tools, zeppelin). Figuring out some way to do this would be a 
big help to all.

> jdbc connection to secure cluster should be able to use Kerberos ticket of 
> user
> -------------------------------------------------------------------------------
>
>                 Key: PHOENIX-5006
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-5006
>             Project: Phoenix
>          Issue Type: Bug
>            Reporter: Biju Nair
>            Priority: Minor
>
> Currently JDBC connection against a secure Phoenix cluster requires a 
> Kerberos principal and keytab to be passed in as part of the connection 
> string. But in many instances users may not have a {{Keytab}} especially 
> during development. It would be good to support using the logged in users 
> Kerberos ticket. 
>   



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to