[GitHub] [hbase] wchevreuil commented on a change in pull request #884: HBASE-23347 Allowable custom authentication methods for RPCs

Thu, 28 Nov 2019 10:04:28 -0800 

wchevreuil commented on a change in pull request #884: HBASE-23347 Allowable 
custom authentication methods for RPCs
URL: https://github.com/apache/hbase/pull/884#discussion_r351857477
 
 

 ##########
 File path: 
hbase-client/src/main/java/org/apache/hadoop/hbase/security/AbstractHBaseSaslRpcClient.java
 ##########
 @@ -79,53 +71,18 @@ protected AbstractHBaseSaslRpcClient(AuthMethod method, 
Token<? extends TokenIde
    * @param rpcProtection the protection level ("authentication", "integrity" 
or "privacy")
    * @throws IOException
    */
-  protected AbstractHBaseSaslRpcClient(AuthMethod method, Token<? extends 
TokenIdentifier> token,
+  protected AbstractHBaseSaslRpcClient(Configuration conf,
+      SaslClientAuthenticationProvider provider, Token<? extends 
TokenIdentifier> token,
       String serverPrincipal, boolean fallbackAllowed, String rpcProtection) 
throws IOException {
     this.fallbackAllowed = fallbackAllowed;
     saslProps = SaslUtil.initSaslProperties(rpcProtection);
-    switch (method) {
-      case DIGEST:
-        if (LOG.isDebugEnabled()) LOG.debug("Creating SASL " + 
AuthMethod.DIGEST.getMechanismName()
-            + " client to authenticate to service at " + token.getService());
-        saslClient = createDigestSaslClient(new String[] { 
AuthMethod.DIGEST.getMechanismName() },
-          SaslUtil.SASL_DEFAULT_REALM, new SaslClientCallbackHandler(token));
-        break;
-      case KERBEROS:
-        if (LOG.isDebugEnabled()) {
-          LOG.debug("Creating SASL " + AuthMethod.KERBEROS.getMechanismName()
-              + " client. Server's Kerberos principal name is " + 
serverPrincipal);
-        }
-        if (serverPrincipal == null || serverPrincipal.length() == 0) {
-          throw new IOException("Failed to specify server's Kerberos principal 
name");
-        }
-        String[] names = SaslUtil.splitKerberosName(serverPrincipal);
-        if (names.length != 3) {
-          throw new IOException(
-              "Kerberos principal does not have the expected format: " + 
serverPrincipal);
-        }
-        saslClient = createKerberosSaslClient(
-          new String[] { AuthMethod.KERBEROS.getMechanismName() }, names[0], 
names[1]);
-        break;
-      default:
-        throw new IOException("Unknown authentication method " + method);
-    }
+
+    saslClient = provider.createClient(conf, serverPrincipal, token, 
fallbackAllowed, saslProps);
 
 Review comment:
   This is great, much simpler, but do we still need a server principal along 
here? Couldn't that be something the kerberos provider defines internally, and 
sets accordingly on its created client?

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

Reply via email to