[GitHub] accumulo pull request #274: ACCUMULO-4666 Improve KerberosToken sanity-check...

[joshelser]

Github user joshelser commented on a diff in the pull request:

    https://github.com/apache/accumulo/pull/274#discussion_r124411917
  
    --- Diff: 
core/src/main/java/org/apache/accumulo/core/client/security/tokens/KerberosToken.java
 ---
    @@ -48,15 +48,25 @@
       /**
        * Creates a token using the provided principal and the currently 
logged-in user via {@link UserGroupInformation}.
        *
    +   * This method expects the current user (as defined by {@link 
UserGroupInformation#getCurrentUser()} to be authenticated via Kerberos or as a 
Proxy (on top of
    +   * another user). An {@link IllegalArgumentException} will be thrown for 
all other cases.
    +   *
        * @param principal
        *          The user that is logged in
    +   * @throws IllegalArgumentException
    +   *           If the current user is not authentication via Kerberos or 
Proxy methods.
    +   * @see UserGroupInformation#getCurrentUser()
    +   * @see UserGroupInformation#getAuthenticationMethod()
        */
       public KerberosToken(String principal) throws IOException {
         this.principal = requireNonNull(principal);
    -    final UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
    -    if (AuthenticationMethod.KERBEROS == ugi.getAuthenticationMethod()) {
    -      checkArgument(ugi.hasKerberosCredentials(), "Subject is not logged 
in via Kerberos");
    -    }
    +    
validateAuthMethod(UserGroupInformation.getCurrentUser().getAuthenticationMethod());
    +  }
    +
    +  static void validateAuthMethod(AuthenticationMethod authMethod) {
    +    // There is also KERBEROS_SSL but that appears to be deprecated/OBE
    +    checkArgument(AuthenticationMethod.KERBEROS == authMethod || 
AuthenticationMethod.PROXY == authMethod,
    --- End diff --
    
    > Do we no longer care if ugi.hasKerberosCredentials() when the case is 
KERBEROS?
    
    IMO, that's out of scope for what we should care about in Accumulo. I don't 
recall having a reason to actually check `hasKerberosCredentials()` -- the 
`AuthenticationMethod` is treated as sufficient in other projects I've seen 
using UGI.
    
    > But, if that's checked elsewhere (at RPC time?), then I guess it's fine.
    
    And yes, this is only trying to preemptively catch scenarios that we "know" 
will fail. I'm just worried about being overly aggressive in trying to catch 
things that we only "think" might fail (e.g. ACCUMULO-4665).


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---