wchevreuil commented on a change in pull request #884: HBASE-23347 Allowable custom authentication methods for RPCs URL: https://github.com/apache/hbase/pull/884#discussion_r351857477
########## File path: hbase-client/src/main/java/org/apache/hadoop/hbase/security/AbstractHBaseSaslRpcClient.java ########## @@ -79,53 +71,18 @@ protected AbstractHBaseSaslRpcClient(AuthMethod method, Token<? extends TokenIde * @param rpcProtection the protection level ("authentication", "integrity" or "privacy") * @throws IOException */ - protected AbstractHBaseSaslRpcClient(AuthMethod method, Token<? extends TokenIdentifier> token, + protected AbstractHBaseSaslRpcClient(Configuration conf, + SaslClientAuthenticationProvider provider, Token<? extends TokenIdentifier> token, String serverPrincipal, boolean fallbackAllowed, String rpcProtection) throws IOException { this.fallbackAllowed = fallbackAllowed; saslProps = SaslUtil.initSaslProperties(rpcProtection); - switch (method) { - case DIGEST: - if (LOG.isDebugEnabled()) LOG.debug("Creating SASL " + AuthMethod.DIGEST.getMechanismName() - + " client to authenticate to service at " + token.getService()); - saslClient = createDigestSaslClient(new String[] { AuthMethod.DIGEST.getMechanismName() }, - SaslUtil.SASL_DEFAULT_REALM, new SaslClientCallbackHandler(token)); - break; - case KERBEROS: - if (LOG.isDebugEnabled()) { - LOG.debug("Creating SASL " + AuthMethod.KERBEROS.getMechanismName() - + " client. Server's Kerberos principal name is " + serverPrincipal); - } - if (serverPrincipal == null || serverPrincipal.length() == 0) { - throw new IOException("Failed to specify server's Kerberos principal name"); - } - String[] names = SaslUtil.splitKerberosName(serverPrincipal); - if (names.length != 3) { - throw new IOException( - "Kerberos principal does not have the expected format: " + serverPrincipal); - } - saslClient = createKerberosSaslClient( - new String[] { AuthMethod.KERBEROS.getMechanismName() }, names[0], names[1]); - break; - default: - throw new IOException("Unknown authentication method " + method); - } + + saslClient = provider.createClient(conf, serverPrincipal, token, fallbackAllowed, saslProps); Review comment: This is great, much simpler, but do we still need a server principal along here? Couldn't that be something the kerberos provider defines internally, and sets accordingly on its created client? ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services