Github user ctubbsii commented on a diff in the pull request:
https://github.com/apache/accumulo/pull/274#discussion_r124412629
--- Diff:
core/src/main/java/org/apache/accumulo/core/client/security/tokens/KerberosToken.java
---
@@ -48,15 +48,25 @@
/**
* Creates a token using the provided principal and the currently
logged-in user via {@link UserGroupInformation}.
*
+ * This method expects the current user (as defined by {@link
UserGroupInformation#getCurrentUser()} to be authenticated via Kerberos or as a
Proxy (on top of
+ * another user). An {@link IllegalArgumentException} will be thrown for
all other cases.
+ *
* @param principal
* The user that is logged in
+ * @throws IllegalArgumentException
+ * If the current user is not authentication via Kerberos or
Proxy methods.
+ * @see UserGroupInformation#getCurrentUser()
+ * @see UserGroupInformation#getAuthenticationMethod()
*/
public KerberosToken(String principal) throws IOException {
this.principal = requireNonNull(principal);
- final UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
- if (AuthenticationMethod.KERBEROS == ugi.getAuthenticationMethod()) {
- checkArgument(ugi.hasKerberosCredentials(), "Subject is not logged
in via Kerberos");
- }
+
validateAuthMethod(UserGroupInformation.getCurrentUser().getAuthenticationMethod());
+ }
+
+ static void validateAuthMethod(AuthenticationMethod authMethod) {
+ // There is also KERBEROS_SSL but that appears to be deprecated/OBE
+ checkArgument(AuthenticationMethod.KERBEROS == authMethod ||
AuthenticationMethod.PROXY == authMethod,
--- End diff --
Gotcha. Just wanted to make sure.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
