joshelser commented on a change in pull request #20: PHOENIX-5772 Streamline
the kerberos logic in thin client java code
URL: https://github.com/apache/phoenix-queryserver/pull/20#discussion_r391833950
##########
File path:
queryserver-client/src/main/java/org/apache/phoenix/queryserver/client/SqllineWrapper.java
##########
@@ -28,71 +33,55 @@
* make a pre-populated ticket cache (via kinit before launching)
transparently work.
*/
public class SqllineWrapper {
- public static final String HBASE_AUTHENTICATION_ATTR =
"hbase.security.authentication";
- public static final String QUERY_SERVER_SPNEGO_AUTH_DISABLED_ATTRIB =
"phoenix.queryserver.spnego.auth.disabled";
- public static final boolean DEFAULT_QUERY_SERVER_SPNEGO_AUTH_DISABLED =
false;
- static UserGroupInformation tryLogin(Configuration conf) {
- // Try to avoid HBase dependency too. Sadly, we have to bring in all of
hadoop-common for this..
- if ("kerberos".equalsIgnoreCase(conf.get(HBASE_AUTHENTICATION_ATTR))) {
- // sun.security.krb5.principal is the property for setting the principal
name, if that
- // isn't set, fall back to user.name and hope for the best.
- String principal = System.getProperty("sun.security.krb5.principal",
System.getProperty("user.name"));
- try {
- // We got hadoop-auth via hadoop-common, so might as well use it.
- return UserGroupInformation.getUGIFromTicketCache(null, principal);
- } catch (Exception e) {
- //Fall through
- System.err.println("Kerberos login failed using ticket cache. Did you
kinit?");
+ static Subject login() throws LoginException {
+ Subject subject = new Subject();
+
+ LoginContext lc;
+ lc = new LoginContext("ThinClient", subject, new CallbackHandler() {
+ @Override
+ public void handle(Callback[] callbacks)
+ throws IOException, UnsupportedCallbackException {
+ throw new UnsupportedCallbackException(callbacks[0], "Only ticket
cache is supported");
}
- }
- return null;
+ });
+ lc.login();
+ return subject;
}
- private static String[] updateArgsForKerberos(String[] origArgs) {
- String[] newArgs = new String[origArgs.length];
- for (int i = 0; i < origArgs.length; i++) {
- String arg = origArgs[i];
- newArgs[i] = arg;
-
- if (arg.equals("-u")) {
- // Get the JDBC url which is the next argument
- i++;
- arg = origArgs[i];
- if (!arg.contains("authentication=")) {
- arg = arg + ";authentication=SPNEGO";
- }
- newArgs[i] = arg;
+ public static String getUrl(String[] args) {
+ for (int i = 0; i < args.length; i++) {
+ String arg = args[i];
+ args[i] = arg;
+ if (arg.equals("-u") && args.length > i+1) {
+ return args[i+1];
}
}
- return newArgs;
+ return null;
}
public static void main(String[] args) throws Exception {
- final Configuration conf = new Configuration(false);
- conf.addResource("hbase-site.xml");
+ String url = getUrl(args);
- // Check if the server config says SPNEGO auth is actually disabled.
- final boolean disableSpnego =
conf.getBoolean(QUERY_SERVER_SPNEGO_AUTH_DISABLED_ATTRIB,
- DEFAULT_QUERY_SERVER_SPNEGO_AUTH_DISABLED);
- if (disableSpnego) {
- SqlLine.main(args);
+ if(url.contains("authentication=SPNEGO;") && !url.contains("principal=")) {
Review comment:
Maybe just `"authentication=SPNEGO"`? This would fail if authentication is
the last element (maybe this is the problem you were having above?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
