Github user sohami commented on a diff in the pull request:
https://github.com/apache/drill/pull/1040#discussion_r158135221
--- Diff:
exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/auth/SpnegoUtil.java
---
@@ -0,0 +1,115 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+package org.apache.drill.exec.server.rest.auth;
+
+import com.google.common.base.Preconditions;
+import org.apache.drill.common.config.DrillConfig;
+import org.apache.drill.common.exceptions.DrillException;
+import org.apache.drill.exec.ExecConstants;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.CommonConfigurationKeys;
+import org.apache.hadoop.security.UserGroupInformation;
+
+public class SpnegoUtil {
+
+ private UserGroupInformation loggedInUgi;
+
+ //private String realm;
+
+ private String principal;
+
+ private String keytab;
+
+ public SpnegoUtil(DrillConfig config) {
+
+ keytab = config.hasPath(ExecConstants.HTTP_SPNEGO_KEYTAB) ?
+ config.getString(ExecConstants.HTTP_SPNEGO_KEYTAB) :
+ null;
+
+ principal = config.hasPath(ExecConstants.HTTP_SPNEGO_PRINCIPAL) ?
+ config.getString(ExecConstants.HTTP_SPNEGO_PRINCIPAL) :
+ null;
+ }
+
+ //Reads the SPNEGO principal from the config file
+ public String getSpnegoPrincipal() {
+ return principal;
+ }
+
+ public void validateSpnegoConfig() throws DrillException {
+
+ StringBuilder errorMsg = new StringBuilder();
+
+ if (principal != null && keytab != null) {
+ return;
+ }
+
+ if (principal == null) {
+ errorMsg.append("\nConfiguration ");
+ errorMsg.append(ExecConstants.HTTP_SPNEGO_PRINCIPAL);
+ errorMsg.append(" is not found");
+ }
+
+ if (keytab == null) {
+ errorMsg.append("\nConfiguration ");
+ errorMsg.append(ExecConstants.HTTP_SPNEGO_KEYTAB);
+ errorMsg.append(" is not found");
+ }
+
+ throw new DrillException(errorMsg.toString());
+ }
+
+ //Performs the Server login to KDC for SPNEGO
+ private UserGroupInformation loginAndReturnUgi() throws DrillException {
+
+ validateSpnegoConfig();
+
+ UserGroupInformation ugi;
+ try {
+ // Check if security is not enabled and try to set the security
parameter to login the principal.
+ // After the login is performed reset the static UGI state.
+ if (!UserGroupInformation.isSecurityEnabled()) {
+ final Configuration newConfig = new Configuration();
+
newConfig.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION,
+ UserGroupInformation.AuthenticationMethod.KERBEROS.toString());
+
+ UserGroupInformation.setConfiguration(newConfig);
+ ugi =
UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keytab);
+
+ // Reset the original configuration for static UGI
+ UserGroupInformation.setConfiguration(new Configuration());
--- End diff --
There is no concurrency issue here since this will be called only once
during WebServer setup time.
---
