[jira] [Commented] (PHOENIX-5006) jdbc connection to secure cluster should be able to use Kerberos ticket of user

Tue, 04 Dec 2018 17:58:26 -0800 


    [ 
https://issues.apache.org/jira/browse/PHOENIX-5006?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16709508#comment-16709508
 ] 

Josh Elser commented on PHOENIX-5006:
-------------------------------------

{quote}The intention for the snippet provided in the file is to show that the 
change we need to make is probably on {{Phoenix}} and not on the {{HBase}} side 
which you were planning to dig in based on earlier comment
{quote}
I think you're conflating a few different issues into one which is why I've 
been struggling to keep up :)
 # Phoenix doesn't always get configuration properties provided via the JDBC 
url included in the Hadoop Configuration (it does eventually get them, but 
after we do Kerberos login based on provided credentials)
 # Phoenix won't automatically pick up Kerberos credentials from a ticket cache 
(needs a Java wrapper to "prime" UGI, I think)
 # Having to provide extra files on the classpath for a JDBC application is a 
"smell" (similar to #1 but extends much farther – e.g. HDFS HA namenodes 
requires core-site and hdfs-site on the classpath to even talk to HA NN's 
properly, at least the last time I check).

#1 is something we can definitely make happen. #2 is what I was surprised 
didn't automagically work via HBase – it might be that HBase will only pick it 
up if a login via UGI happened already, not just from a local ticket cache (as 
JAAS would do). #3 is really difficult and not something I think Phoenix can 
solve. We should make sure that #1 is only done for exceptional cases, not 
something absurd like someone serializing all of their hadoop configs into a 
Phoenix JDBC url...

Does that help? (and did I get it all?)

> jdbc connection to secure cluster should be able to use Kerberos ticket of 
> user
> -------------------------------------------------------------------------------
>
>                 Key: PHOENIX-5006
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-5006
>             Project: Phoenix
>          Issue Type: Bug
>            Reporter: Biju Nair
>            Priority: Minor
>         Attachments: PHOENIX-5006.possiblefix
>
>
> Currently JDBC connection against a secure Phoenix cluster requires a 
> Kerberos principal and keytab to be passed in as part of the connection 
> string. But in many instances users may not have a {{Keytab}} especially 
> during development. It would be good to support using the logged in users 
> Kerberos ticket. 
>   



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to