[jira] [Commented] (KAFKA-3199) LoginManager should allow using an existing Subject

Wed, 03 Feb 2016 18:39:07 -0800 

    [ 
https://issues.apache.org/jira/browse/KAFKA-3199?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15131609#comment-15131609
 ] 

ASF GitHub Bot commented on KAFKA-3199:
---------------------------------------

GitHub user kunickiaj opened a pull request:

    https://github.com/apache/kafka/pull/862

    KAFKA-3199: LoginManager should allow using an existing Subject

    One possible solution which doesn't require a new configuration parameter:
    But it assumes that if there is already a Subject you want to use its 
existing credentials, and not login from another keytab specified by 
kafka_client_jaas.conf.
    
    Because this makes the jaas.conf no longer required, a missing KafkaClient 
context is no longer an error, but merely a warning.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/kunickiaj/kafka KAFKA-3199

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/kafka/pull/862.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #862
    
----
commit 83fcc6c6150e9b22d82573b9935ee43a0692ffa4
Author: Adam Kunicki <a...@streamsets.com>
Date:   2016-02-04T02:35:11Z

    KAFKA-3199: LoginManager should allow using an existing Subject

----


> LoginManager should allow using an existing Subject
> ---------------------------------------------------
>
>                 Key: KAFKA-3199
>                 URL: https://issues.apache.org/jira/browse/KAFKA-3199
>             Project: Kafka
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 0.9.0.0
>            Reporter: Adam Kunicki
>            Assignee: Adam Kunicki
>            Priority: Critical
>
> LoginManager currently creates a new Login in the constructor which then 
> performs a login and starts a ticket renewal thread. The problem here is that 
> because Kafka performs its own login, it doesn't offer the ability to re-use 
> an existing subject that's already managed by the client application.
> The goal of LoginManager appears to be to be able to return a valid Subject. 
> It would be a simple fix to have LoginManager.acquireLoginManager() check for 
> a new config e.g. kerberos.use.existing.subject. 
> This would instead of creating a new Login in the constructor simply call 
> Subject.getSubject(AccessController.getContext()); to use the already logged 
> in Subject.
> This is also doable without introducing a new configuration and simply 
> checking if there is already a valid Subject available, but I think it may be 
> preferable to require that users explicitly request this behavior.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to