[ https://issues.apache.org/jira/browse/KAFKA-3199?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15131609#comment-15131609 ]
ASF GitHub Bot commented on KAFKA-3199: --------------------------------------- GitHub user kunickiaj opened a pull request: https://github.com/apache/kafka/pull/862 KAFKA-3199: LoginManager should allow using an existing Subject One possible solution which doesn't require a new configuration parameter: But it assumes that if there is already a Subject you want to use its existing credentials, and not login from another keytab specified by kafka_client_jaas.conf. Because this makes the jaas.conf no longer required, a missing KafkaClient context is no longer an error, but merely a warning. You can merge this pull request into a Git repository by running: $ git pull https://github.com/kunickiaj/kafka KAFKA-3199 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/kafka/pull/862.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #862 ---- commit 83fcc6c6150e9b22d82573b9935ee43a0692ffa4 Author: Adam Kunicki <a...@streamsets.com> Date: 2016-02-04T02:35:11Z KAFKA-3199: LoginManager should allow using an existing Subject ---- > LoginManager should allow using an existing Subject > --------------------------------------------------- > > Key: KAFKA-3199 > URL: https://issues.apache.org/jira/browse/KAFKA-3199 > Project: Kafka > Issue Type: Improvement > Components: security > Affects Versions: 0.9.0.0 > Reporter: Adam Kunicki > Assignee: Adam Kunicki > Priority: Critical > > LoginManager currently creates a new Login in the constructor which then > performs a login and starts a ticket renewal thread. The problem here is that > because Kafka performs its own login, it doesn't offer the ability to re-use > an existing subject that's already managed by the client application. > The goal of LoginManager appears to be to be able to return a valid Subject. > It would be a simple fix to have LoginManager.acquireLoginManager() check for > a new config e.g. kerberos.use.existing.subject. > This would instead of creating a new Login in the constructor simply call > Subject.getSubject(AccessController.getContext()); to use the already logged > in Subject. > This is also doable without introducing a new configuration and simply > checking if there is already a valid Subject available, but I think it may be > preferable to require that users explicitly request this behavior. -- This message was sent by Atlassian JIRA (v6.3.4#6332)