Repository: phoenix Updated Branches: refs/heads/4.x-HBase-0.98 4b85920ef -> 29c2c0a30 refs/heads/4.x-HBase-1.1 894983389 -> 550c195e5 refs/heads/master 4b3e33858 -> 83e56f45b
PHOENIX-3004 Allow configuration in hbase-site to define realms other than the server's By default, PQS is only going to allow in the realm which the principal belongs. Need to create the ability for them to define extra realms (for example to support MIT kerberos with AD). Project: http://git-wip-us.apache.org/repos/asf/phoenix/repo Commit: http://git-wip-us.apache.org/repos/asf/phoenix/commit/83e56f45 Tree: http://git-wip-us.apache.org/repos/asf/phoenix/tree/83e56f45 Diff: http://git-wip-us.apache.org/repos/asf/phoenix/diff/83e56f45 Branch: refs/heads/master Commit: 83e56f45bf6394ce6e7e29edc9edea750a9ced5c Parents: 4b3e338 Author: Josh Elser <[email protected]> Authored: Mon Oct 31 10:56:41 2016 -0400 Committer: Josh Elser <[email protected]> Committed: Mon Oct 31 11:17:25 2016 -0400 ---------------------------------------------------------------------- .../main/java/org/apache/phoenix/query/QueryServices.java | 1 + .../org/apache/phoenix/queryserver/server/QueryServer.java | 9 ++++++++- 2 files changed, 9 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/phoenix/blob/83e56f45/phoenix-core/src/main/java/org/apache/phoenix/query/QueryServices.java ---------------------------------------------------------------------- diff --git a/phoenix-core/src/main/java/org/apache/phoenix/query/QueryServices.java b/phoenix-core/src/main/java/org/apache/phoenix/query/QueryServices.java index 51a18d4..a89d4eb 100644 --- a/phoenix-core/src/main/java/org/apache/phoenix/query/QueryServices.java +++ b/phoenix-core/src/main/java/org/apache/phoenix/query/QueryServices.java @@ -208,6 +208,7 @@ public interface QueryServices extends SQLCloseable { public static final String QUERY_SERVER_UGI_CACHE_MAX_SIZE = "phoenix.queryserver.ugi.cache.max.size"; public static final String QUERY_SERVER_UGI_CACHE_INITIAL_SIZE = "phoenix.queryserver.ugi.cache.initial.size"; public static final String QUERY_SERVER_UGI_CACHE_CONCURRENCY = "phoenix.queryserver.ugi.cache.concurrency"; + public static final String QUERY_SERVER_KERBEROS_ALLOWED_REALMS = "phoenix.queryserver.kerberos.allowed.realms"; public static final String RENEW_LEASE_ENABLED = "phoenix.scanner.lease.renew.enabled"; public static final String RUN_RENEW_LEASE_FREQUENCY_INTERVAL_MILLISECONDS = "phoenix.scanner.lease.renew.interval"; http://git-wip-us.apache.org/repos/asf/phoenix/blob/83e56f45/phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java ---------------------------------------------------------------------- diff --git a/phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java b/phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java index d6b7b93..8c44938 100644 --- a/phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java +++ b/phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java @@ -38,6 +38,7 @@ import org.apache.hadoop.net.DNS; import org.apache.hadoop.security.SecurityUtil; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.authorize.ProxyUsers; +import org.apache.hadoop.util.StringUtils; import org.apache.hadoop.util.Tool; import org.apache.hadoop.util.ToolRunner; import org.apache.phoenix.query.QueryServices; @@ -214,8 +215,14 @@ public final class QueryServer extends Configured implements Tool, Runnable { String keytabPath = getConf().get(QueryServices.QUERY_SERVER_KEYTAB_FILENAME_ATTRIB); File keytab = new File(keytabPath); + String realmsString = getConf().get(QueryServices.QUERY_SERVER_KERBEROS_ALLOWED_REALMS, null); + String[] additionalAllowedRealms = null; + if (null != realmsString) { + additionalAllowedRealms = StringUtils.split(realmsString, ','); + } + // Enable SPNEGO and impersonation (through standard Hadoop configuration means) - builder.withSpnego(ugi.getUserName()) + builder.withSpnego(ugi.getUserName(), additionalAllowedRealms) .withAutomaticLogin(keytab) .withImpersonation(new PhoenixDoAsCallback(ugi, getConf())); }
