[
https://issues.apache.org/jira/browse/HBASE-20886?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16554282#comment-16554282
]
Sean Busbey commented on HBASE-20886:
-------------------------------------
{quote}
bq. Please keep these constants somewhere other than HConstants
Any recommendation?
{quote}
AuthUtil seems fine to me.
{quote}
What about keeping AuthUtil IA.Public, but marking AuthUtil.getAuthChore
IA.Private (canary only), AuthUtil.loginClient and AuthUtil.getAuthRenewalChore
are quite handy IMO.
{quote}
But why would anyone outside of the project use these if connection setup
handles making the calls transparently?
{quote}
bq. where we smash some existing credentials in the JVM.
If client plans to login 2 identities in one application, no matter this client
runs hbase or not, his JVM will have credentials issue.
As long as the same identity, from my knowledge, it is just a matter of expired
time update, comparing to those long running job with numerous re-login, login
one more time at the beginning does no harm. (But i already address this
concern from v2, to reuse the login client if it exists)
{quote}
I don't think this is "too helpful" FWIW. I just don't want folks to think of
it as "magic" that they have to learn from reading the source. It seems like
there's minimal risk of surprising folks about credentials in the JVM since
folks have to opt-in by setting configuration values to point at a keytab /
principal.
If we want to be extra sure that this plays well we could try to use two
different Configuration instances to connect with different keytab/principals
within a single JVM instance. I think it's find for that to be a follow-on
since folks will be no further from doing that themselves if they just don't
set the keytab/principal configs we look for here.
> [Auth] Support keytab login in hbase client
> -------------------------------------------
>
> Key: HBASE-20886
> URL: https://issues.apache.org/jira/browse/HBASE-20886
> Project: HBase
> Issue Type: Improvement
> Components: asyncclient, Client, security
> Reporter: Reid Chan
> Assignee: Reid Chan
> Priority: Critical
> Attachments: HBASE-20886.master.001.patch,
> HBASE-20886.master.002.patch, HBASE-20886.master.003.patch,
> HBASE-20886.master.004.patch
>
>
> There're lots of questions about how to connect to kerberized hbase cluster
> through hbase-client api from user-mail and slack channel.
> {{hbase.client.keytab.file}} and {{hbase.client.keytab.principal}} are
> already existed in code base, but they are only used in {{Canary}}.
> This issue is to make use of two configs to support client-side keytab based
> login, after this issue resolved, hbase-client should directly connect to
> kerberized cluster without changing any code as long as
> {{hbase.client.keytab.file}} and {{hbase.client.keytab.principal}} are
> specified.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
