[jira] [Commented] (PHOENIX-5006) jdbc connection to secure cluster should be able to use Kerberos ticket of user

Mon, 03 Dec 2018 15:39:24 -0800 


    [ 
https://issues.apache.org/jira/browse/PHOENIX-5006?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16707988#comment-16707988
 ] 

Josh Elser commented on PHOENIX-5006:
-------------------------------------

[~gsbiju], hey, sorry for the silence. Been a rough month.

I'm looking at the patch you've supplied. This part of the login code is pretty 
gross and has lots of bad assumptions around it. Abstractly: I think what 
you're trying to do is good in spirit:
 # Can we tell if security is enabled? We should build the Configuration which 
was built from site.xml files as well as the JDBC properties.
 # Try to log in if security is enabled.
 ## Log in via princ+keytab from config (again, which pulls from site.xml or 
the JDBC properties)
 ## Log in via krb5 login module which will pull from the ticket cache by 
default (this might even be able to dynamically prompt you since we're in a 
user-interactive context)

I think inverting the logic will help clear a bit of this up. Also, I don't 
think we need to worry about all of the scariness in 2.1 (figuring out when to 
re-login if we already have some creentials) applies for 2.2 which simplifies 
things.

Do you want to try your hand at the above, [~gsbiju], or should I continue? 
I've just mocked it up a little locally to make sure I liked what I was 
suggesting.

> jdbc connection to secure cluster should be able to use Kerberos ticket of 
> user
> -------------------------------------------------------------------------------
>
>                 Key: PHOENIX-5006
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-5006
>             Project: Phoenix
>          Issue Type: Bug
>            Reporter: Biju Nair
>            Priority: Minor
>         Attachments: PHOENIX-5006.possiblefix
>
>
> Currently JDBC connection against a secure Phoenix cluster requires a 
> Kerberos principal and keytab to be passed in as part of the connection 
> string. But in many instances users may not have a {{Keytab}} especially 
> during development. It would be good to support using the logged in users 
> Kerberos ticket. 
>   



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to