[GitHub] [phoenix-queryserver] joshelser commented on a change in pull request #20: PHOENIX-5772 Streamline the kerberos logic in thin client java code

Thu, 12 Mar 2020 12:10:32 -0700 

joshelser commented on a change in pull request #20: PHOENIX-5772 Streamline 
the kerberos logic in thin client java code
URL: https://github.com/apache/phoenix-queryserver/pull/20#discussion_r391833531
 
 

 ##########
 File path: 
queryserver-client/src/main/java/org/apache/phoenix/queryserver/client/SqllineWrapper.java
 ##########
 @@ -28,71 +33,55 @@
  * make a pre-populated ticket cache (via kinit before launching) 
transparently work.
  */
 public class SqllineWrapper {
-  public static final String HBASE_AUTHENTICATION_ATTR = 
"hbase.security.authentication";
-  public static final String QUERY_SERVER_SPNEGO_AUTH_DISABLED_ATTRIB = 
"phoenix.queryserver.spnego.auth.disabled";
-  public static final boolean DEFAULT_QUERY_SERVER_SPNEGO_AUTH_DISABLED = 
false;
 
-  static UserGroupInformation tryLogin(Configuration conf) {
-    // Try to avoid HBase dependency too. Sadly, we have to bring in all of 
hadoop-common for this..
-    if ("kerberos".equalsIgnoreCase(conf.get(HBASE_AUTHENTICATION_ATTR))) {
-      // sun.security.krb5.principal is the property for setting the principal 
name, if that
-      // isn't set, fall back to user.name and hope for the best.
-      String principal = System.getProperty("sun.security.krb5.principal", 
System.getProperty("user.name"));
-      try {
-        // We got hadoop-auth via hadoop-common, so might as well use it.
-        return UserGroupInformation.getUGIFromTicketCache(null, principal);
-      } catch (Exception e) {
-        //Fall through
-        System.err.println("Kerberos login failed using ticket cache. Did you 
kinit?");
+  static Subject login() throws LoginException {
+    Subject subject = new Subject();
+
+    LoginContext lc;
+    lc = new LoginContext("ThinClient", subject, new CallbackHandler() {
+      @Override
+      public void handle(Callback[] callbacks)
+          throws IOException, UnsupportedCallbackException {
+        throw new UnsupportedCallbackException(callbacks[0], "Only ticket 
cache is supported");
 
 Review comment:
   `-Djavax.security.auth.useSubjectCredsOnly=false` should also prevent JAAS 
from trying any other ticket acquisition method if the ticket cache login fails.
   
   Even if setting that system property works, having an clear Unsupported 
exception here is good!

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


With regards,
Apache Git Services

Reply via email to