PHOENIX-4533 Modified Query Server to use two sets of Kerberos credentials Signed-off-by: Josh Elser <els...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/phoenix/repo Commit: http://git-wip-us.apache.org/repos/asf/phoenix/commit/0132bf68 Tree: http://git-wip-us.apache.org/repos/asf/phoenix/tree/0132bf68 Diff: http://git-wip-us.apache.org/repos/asf/phoenix/diff/0132bf68 Branch: refs/heads/4.x-HBase-1.1 Commit: 0132bf684966dbffd08bfcd8ede5fc4f31d08ca5 Parents: add7dd0 Author: Lev Bronshtein <lbronsht...@bloomberg.net> Authored: Wed Jan 31 22:37:50 2018 -0500 Committer: Josh Elser <els...@apache.org> Committed: Fri May 25 15:16:41 2018 -0400 ---------------------------------------------------------------------- .../org/apache/phoenix/query/QueryServices.java | 2 ++ .../phoenix/queryserver/server/QueryServer.java | 17 ++++++++++++++--- 2 files changed, 16 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/phoenix/blob/0132bf68/phoenix-core/src/main/java/org/apache/phoenix/query/QueryServices.java ---------------------------------------------------------------------- diff --git a/phoenix-core/src/main/java/org/apache/phoenix/query/QueryServices.java b/phoenix-core/src/main/java/org/apache/phoenix/query/QueryServices.java index bbd88f3..5e0a8f1 100644 --- a/phoenix-core/src/main/java/org/apache/phoenix/query/QueryServices.java +++ b/phoenix-core/src/main/java/org/apache/phoenix/query/QueryServices.java @@ -237,7 +237,9 @@ public interface QueryServices extends SQLCloseable { public static final String QUERY_SERVER_ENV_LOGGING_ATTRIB = "phoenix.queryserver.envvars.logging.disabled"; public static final String QUERY_SERVER_ENV_LOGGING_SKIPWORDS_ATTRIB = "phoenix.queryserver.envvars.logging.skipwords"; public static final String QUERY_SERVER_KEYTAB_FILENAME_ATTRIB = "phoenix.queryserver.keytab.file"; + public static final String QUERY_SERVER_HTTP_KEYTAB_FILENAME_ATTRIB = "phoenix.queryserver.http.keytab.file"; public static final String QUERY_SERVER_KERBEROS_PRINCIPAL_ATTRIB = "phoenix.queryserver.kerberos.principal"; + public static final String QUERY_SERVER_KERBEROS_HTTP_PRINCIPAL_ATTRIB = "phoenix.queryserver.kerberos.http.principal"; public static final String QUERY_SERVER_DNS_NAMESERVER_ATTRIB = "phoenix.queryserver.dns.nameserver"; public static final String QUERY_SERVER_DNS_INTERFACE_ATTRIB = "phoenix.queryserver.dns.interface"; public static final String QUERY_SERVER_HBASE_SECURITY_CONF_ATTRIB = "hbase.security.authentication"; http://git-wip-us.apache.org/repos/asf/phoenix/blob/0132bf68/phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java ---------------------------------------------------------------------- diff --git a/phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java b/phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java index 288e4f5..6b1fcfe 100644 --- a/phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java +++ b/phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java @@ -244,6 +244,11 @@ public final class QueryServer extends Configured implements Tool, Runnable { String keytabPath = getConf().get(QueryServices.QUERY_SERVER_KEYTAB_FILENAME_ATTRIB); File keytab = new File(keytabPath); + String httpKeytabPath = getConf().get(QueryServices.QUERY_SERVER_HTTP_KEYTAB_FILENAME_ATTRIB, null); + String httpPrincipal = getConf().get(QueryServices.QUERY_SERVER_KERBEROS_HTTP_PRINCIPAL_ATTRIB, null); + File httpKeytab = null; + if (null != httpKeytabPath) + httpKeytab = new File(httpKeytabPath); String realmsString = getConf().get(QueryServices.QUERY_SERVER_KERBEROS_ALLOWED_REALMS, null); String[] additionalAllowedRealms = null; @@ -252,9 +257,15 @@ public final class QueryServer extends Configured implements Tool, Runnable { } // Enable SPNEGO and impersonation (through standard Hadoop configuration means) - builder.withSpnego(ugi.getUserName(), additionalAllowedRealms) - .withAutomaticLogin(keytab) - .withImpersonation(new PhoenixDoAsCallback(ugi, getConf())); + if ((null != httpKeytabPath) && (null != httpPrincipal)) + builder.withSpnego(httpPrincipal, additionalAllowedRealms) + .withAutomaticLogin(httpKeytab) + .withImpersonation(new PhoenixDoAsCallback(ugi, getConf())); + else + builder.withSpnego(ugi.getUserName(), additionalAllowedRealms) + .withAutomaticLogin(keytab) + .withImpersonation(new PhoenixDoAsCallback(ugi, getConf())); + } setRemoteUserExtractorIfNecessary(builder, getConf());