[kudu-CR] [ranger] pass 'principal' and 'keytab' to the subprocess

Thu, 12 Mar 2020 10:39:51 -0700 

Andrew Wong has posted comments on this change. ( 
http://gerrit.cloudera.org:8080/15416 )

Change subject: [ranger] pass 'principal' and 'keytab' to the subprocess
......................................................................


Patch Set 2:

(2 comments)

http://gerrit.cloudera.org:8080/#/c/15416/1/src/kudu/ranger/ranger_client.cc
File src/kudu/ranger/ranger_client.cc:

http://gerrit.cloudera.org:8080/#/c/15416/1/src/kudu/ranger/ranger_client.cc@354
PS1, Line 354: string config
> In case that Kerberos is not enabled in the cluster, I don't see this is a
The specific case I'm worried about is if the keytab is specified by we can't 
resolve the principal. IIUC that would mean '-k' is non-empty and '-i' is 
empty, and we'd hit an exception here:

https://gerrit.cloudera.org/c/15414/2/java/kudu-subprocess/src/main/java/org/apache/kudu/subprocess/ranger/authorization/RangerKuduAuthorizer.java#81


http://gerrit.cloudera.org:8080/#/c/15416/2/src/kudu/ranger/ranger_client.cc
File src/kudu/ranger/ranger_client.cc:

http://gerrit.cloudera.org:8080/#/c/15416/2/src/kudu/ranger/ranger_client.cc@150
PS2, Line 150: { FLAGS_java_path, "-cp", GetJavaClasspath(), kMainClass,
             :                 "-i", GetKuduPrincipal(), "-k", 
FLAGS_keytab_file }
nit: It feels kind of weird to be passing -i and -k unconditionally.

Maybe define some BuildArgs() function or something that returns the correct 
arguments here? E.g. maybe we don't pass anything for -i or -k if we can't 
evaluate the principal or keytab?

Or make the subprocess heap-allocated and evaluate the arguments at Start()?
Or pass the principal and keytab as environment variables before Start()?



--
To view, visit http://gerrit.cloudera.org:8080/15416
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ie30b835b6d44ddb51d95c587f1329bfefebeb37c
Gerrit-Change-Number: 15416
Gerrit-PatchSet: 2
Gerrit-Owner: Hao Hao <[email protected]>
Gerrit-Reviewer: Adar Dembo <[email protected]>
Gerrit-Reviewer: Andrew Wong <[email protected]>
Gerrit-Reviewer: Hao Hao <[email protected]>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Comment-Date: Thu, 12 Mar 2020 17:39:33 +0000
Gerrit-HasComments: Yes

Reply via email to