Github user joshelser commented on a diff in the pull request:
https://github.com/apache/accumulo/pull/273#discussion_r124306544
--- Diff:
core/src/main/java/org/apache/accumulo/core/client/security/tokens/KerberosToken.java
---
@@ -51,11 +52,11 @@
* The user that is logged in
*/
public KerberosToken(String principal) throws IOException {
- requireNonNull(principal);
+ this.principal = requireNonNull(principal);
final UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
- checkArgument(ugi.hasKerberosCredentials(), "Subject is not logged in
via Kerberos");
- checkArgument(principal.equals(ugi.getUserName()), "Provided principal
does not match currently logged-in user");
- this.principal = ugi.getUserName();
+ if (AuthenticationMethod.KERBEROS == ugi.getAuthenticationMethod()) {
+ checkArgument(ugi.hasKerberosCredentials(), "Subject is not logged
in via Kerberos");
+ }
--- End diff --
Thinking about this again, I need to update the javadoc on KerberosToken.
We're enforcing an assumption (silently) that when the token is
instantiated, the Kerberos user is already logged in. Whereas, something like
the following, could be something a user comes up with and would be surprised
when it doesn't work.
```java
UserGroupInformation myUser = getUserBasedOnCustomLogic();
final Instance inst = new ZooKeeperInstance(clientConf);
final AuthenticationToken token = new KerberosToken();
myUser.doAs(new PrivilegedExceptionAction<Void>() {
@Override public Void run() throws Exception {
Connector conn = inst.getConnector(principal, token);
// ...
}
});
```
Let me also include javadoc update to try to make clear that the above
circumstance would not work.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
