[3/4] phoenix git commit: PHOENIX-4749 Allow impersonation when SPNEGO is disabled
PHOENIX-4749 Allow impersonation when SPNEGO is disabled Client impersonation is no longer tied to SPNEGO auth. Signed-off-by: Josh ElserProject: http://git-wip-us.apache.org/repos/asf/phoenix/repo Commit: http://git-wip-us.apache.org/repos/asf/phoenix/commit/58082f81 Tree: http://git-wip-us.apache.org/repos/asf/phoenix/tree/58082f81 Diff: http://git-wip-us.apache.org/repos/asf/phoenix/diff/58082f81 Branch: refs/heads/4.x-cdh5.14 Commit: 58082f8100a82d637c8f5102e16204e51b7cf86d Parents: f7a27e2 Author: Alex Araujo Authored: Wed May 23 16:28:48 2018 +0100 Committer: Pedro Boado Committed: Fri May 25 22:58:29 2018 +0100 -- .../phoenix/queryserver/server/QueryServer.java | 90 +++- .../server/QueryServerConfigurationTest.java| 72 2 files changed, 121 insertions(+), 41 deletions(-) -- http://git-wip-us.apache.org/repos/asf/phoenix/blob/58082f81/phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java -- diff --git a/phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java b/phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java index 8436086..e3f0f52 100644 --- a/phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java +++ b/phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java @@ -54,6 +54,7 @@ import org.apache.phoenix.queryserver.register.Registry; import org.apache.phoenix.util.InstanceResolver; import java.io.File; +import java.io.IOException; import java.lang.management.ManagementFactory; import java.lang.management.RuntimeMXBean; import java.net.InetAddress; @@ -197,7 +198,7 @@ public final class QueryServer extends Configured implements Tool, Runnable { QueryServicesOptions.DEFAULT_QUERY_SERVER_DISABLE_KERBEROS_LOGIN); // handle secure cluster credentials - if (isKerberos && !disableSpnego && !disableLogin) { + if (isKerberos && !disableLogin) { hostname = Strings.domainNamePointerToHostName(DNS.getDefaultHost( getConf().get(QueryServices.QUERY_SERVER_DNS_INTERFACE_ATTRIB, "default"), getConf().get(QueryServices.QUERY_SERVER_DNS_NAMESERVER_ATTRIB, "default"))); @@ -230,47 +231,9 @@ public final class QueryServer extends Configured implements Tool, Runnable { final HttpServer.Builder builder = new HttpServer.Builder().withPort(port) .withHandler(service, getSerialization(getConf())); - // Enable SPNEGO and Impersonation when using Kerberos + // Enable client auth when using Kerberos auth for HBase if (isKerberos) { -UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); -LOG.debug("Current user is " + ugi); -if (!ugi.hasKerberosCredentials()) { - ugi = UserGroupInformation.getLoginUser(); - LOG.debug("Current user does not have Kerberos credentials, using instead " + ugi); -} - -// Make sure the proxyuser configuration is up to date -ProxyUsers.refreshSuperUserGroupsConfiguration(getConf()); - -String keytabPath = getConf().get(QueryServices.QUERY_SERVER_KEYTAB_FILENAME_ATTRIB); -File keytab = new File(keytabPath); -String httpKeytabPath = getConf().get(QueryServices.QUERY_SERVER_HTTP_KEYTAB_FILENAME_ATTRIB, null); -String httpPrincipal = getConf().get(QueryServices.QUERY_SERVER_KERBEROS_HTTP_PRINCIPAL_ATTRIB, null); -// Backwards compat for a configuration key change -if (httpPrincipal == null) { - httpPrincipal = getConf().get(QueryServices.QUERY_SERVER_KERBEROS_HTTP_PRINCIPAL_ATTRIB_LEGACY, null); -} -File httpKeytab = null; -if (null != httpKeytabPath) - httpKeytab = new File(httpKeytabPath); - -String realmsString = getConf().get(QueryServices.QUERY_SERVER_KERBEROS_ALLOWED_REALMS, null); -String[] additionalAllowedRealms = null; -if (null != realmsString) { -additionalAllowedRealms = StringUtils.split(realmsString, ','); -} - -// Enable SPNEGO and impersonation (through standard Hadoop configuration means) -if ((null != httpKeytabPath) && (null != httpPrincipal)) - builder.withSpnego(httpPrincipal, additionalAllowedRealms) - .withAutomaticLogin(httpKeytab) - .withImpersonation(new PhoenixDoAsCallback(ugi, getConf())); -else - builder.withSpnego(ugi.getUserName(), additionalAllowedRealms) - .withAutomaticLogin(keytab) - .withImpersonation(new PhoenixDoAsCallback(ugi, getConf())); - - +
[3/4] phoenix git commit: PHOENIX-4749 Allow impersonation when SPNEGO is disabled
PHOENIX-4749 Allow impersonation when SPNEGO is disabled Client impersonation is no longer tied to SPNEGO auth. Signed-off-by: Josh ElserProject: http://git-wip-us.apache.org/repos/asf/phoenix/repo Commit: http://git-wip-us.apache.org/repos/asf/phoenix/commit/58082f81 Tree: http://git-wip-us.apache.org/repos/asf/phoenix/tree/58082f81 Diff: http://git-wip-us.apache.org/repos/asf/phoenix/diff/58082f81 Branch: refs/heads/4.x-cdh5.13 Commit: 58082f8100a82d637c8f5102e16204e51b7cf86d Parents: f7a27e2 Author: Alex Araujo Authored: Wed May 23 16:28:48 2018 +0100 Committer: Pedro Boado Committed: Fri May 25 22:58:29 2018 +0100 -- .../phoenix/queryserver/server/QueryServer.java | 90 +++- .../server/QueryServerConfigurationTest.java| 72 2 files changed, 121 insertions(+), 41 deletions(-) -- http://git-wip-us.apache.org/repos/asf/phoenix/blob/58082f81/phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java -- diff --git a/phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java b/phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java index 8436086..e3f0f52 100644 --- a/phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java +++ b/phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java @@ -54,6 +54,7 @@ import org.apache.phoenix.queryserver.register.Registry; import org.apache.phoenix.util.InstanceResolver; import java.io.File; +import java.io.IOException; import java.lang.management.ManagementFactory; import java.lang.management.RuntimeMXBean; import java.net.InetAddress; @@ -197,7 +198,7 @@ public final class QueryServer extends Configured implements Tool, Runnable { QueryServicesOptions.DEFAULT_QUERY_SERVER_DISABLE_KERBEROS_LOGIN); // handle secure cluster credentials - if (isKerberos && !disableSpnego && !disableLogin) { + if (isKerberos && !disableLogin) { hostname = Strings.domainNamePointerToHostName(DNS.getDefaultHost( getConf().get(QueryServices.QUERY_SERVER_DNS_INTERFACE_ATTRIB, "default"), getConf().get(QueryServices.QUERY_SERVER_DNS_NAMESERVER_ATTRIB, "default"))); @@ -230,47 +231,9 @@ public final class QueryServer extends Configured implements Tool, Runnable { final HttpServer.Builder builder = new HttpServer.Builder().withPort(port) .withHandler(service, getSerialization(getConf())); - // Enable SPNEGO and Impersonation when using Kerberos + // Enable client auth when using Kerberos auth for HBase if (isKerberos) { -UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); -LOG.debug("Current user is " + ugi); -if (!ugi.hasKerberosCredentials()) { - ugi = UserGroupInformation.getLoginUser(); - LOG.debug("Current user does not have Kerberos credentials, using instead " + ugi); -} - -// Make sure the proxyuser configuration is up to date -ProxyUsers.refreshSuperUserGroupsConfiguration(getConf()); - -String keytabPath = getConf().get(QueryServices.QUERY_SERVER_KEYTAB_FILENAME_ATTRIB); -File keytab = new File(keytabPath); -String httpKeytabPath = getConf().get(QueryServices.QUERY_SERVER_HTTP_KEYTAB_FILENAME_ATTRIB, null); -String httpPrincipal = getConf().get(QueryServices.QUERY_SERVER_KERBEROS_HTTP_PRINCIPAL_ATTRIB, null); -// Backwards compat for a configuration key change -if (httpPrincipal == null) { - httpPrincipal = getConf().get(QueryServices.QUERY_SERVER_KERBEROS_HTTP_PRINCIPAL_ATTRIB_LEGACY, null); -} -File httpKeytab = null; -if (null != httpKeytabPath) - httpKeytab = new File(httpKeytabPath); - -String realmsString = getConf().get(QueryServices.QUERY_SERVER_KERBEROS_ALLOWED_REALMS, null); -String[] additionalAllowedRealms = null; -if (null != realmsString) { -additionalAllowedRealms = StringUtils.split(realmsString, ','); -} - -// Enable SPNEGO and impersonation (through standard Hadoop configuration means) -if ((null != httpKeytabPath) && (null != httpPrincipal)) - builder.withSpnego(httpPrincipal, additionalAllowedRealms) - .withAutomaticLogin(httpKeytab) - .withImpersonation(new PhoenixDoAsCallback(ugi, getConf())); -else - builder.withSpnego(ugi.getUserName(), additionalAllowedRealms) - .withAutomaticLogin(keytab) - .withImpersonation(new PhoenixDoAsCallback(ugi, getConf())); - - +
[3/4] phoenix git commit: PHOENIX-4749 Allow impersonation when SPNEGO is disabled
PHOENIX-4749 Allow impersonation when SPNEGO is disabled Client impersonation is no longer tied to SPNEGO auth. Signed-off-by: Josh ElserProject: http://git-wip-us.apache.org/repos/asf/phoenix/repo Commit: http://git-wip-us.apache.org/repos/asf/phoenix/commit/58082f81 Tree: http://git-wip-us.apache.org/repos/asf/phoenix/tree/58082f81 Diff: http://git-wip-us.apache.org/repos/asf/phoenix/diff/58082f81 Branch: refs/heads/4.x-cdh5.12 Commit: 58082f8100a82d637c8f5102e16204e51b7cf86d Parents: f7a27e2 Author: Alex Araujo Authored: Wed May 23 16:28:48 2018 +0100 Committer: Pedro Boado Committed: Fri May 25 22:58:29 2018 +0100 -- .../phoenix/queryserver/server/QueryServer.java | 90 +++- .../server/QueryServerConfigurationTest.java| 72 2 files changed, 121 insertions(+), 41 deletions(-) -- http://git-wip-us.apache.org/repos/asf/phoenix/blob/58082f81/phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java -- diff --git a/phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java b/phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java index 8436086..e3f0f52 100644 --- a/phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java +++ b/phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java @@ -54,6 +54,7 @@ import org.apache.phoenix.queryserver.register.Registry; import org.apache.phoenix.util.InstanceResolver; import java.io.File; +import java.io.IOException; import java.lang.management.ManagementFactory; import java.lang.management.RuntimeMXBean; import java.net.InetAddress; @@ -197,7 +198,7 @@ public final class QueryServer extends Configured implements Tool, Runnable { QueryServicesOptions.DEFAULT_QUERY_SERVER_DISABLE_KERBEROS_LOGIN); // handle secure cluster credentials - if (isKerberos && !disableSpnego && !disableLogin) { + if (isKerberos && !disableLogin) { hostname = Strings.domainNamePointerToHostName(DNS.getDefaultHost( getConf().get(QueryServices.QUERY_SERVER_DNS_INTERFACE_ATTRIB, "default"), getConf().get(QueryServices.QUERY_SERVER_DNS_NAMESERVER_ATTRIB, "default"))); @@ -230,47 +231,9 @@ public final class QueryServer extends Configured implements Tool, Runnable { final HttpServer.Builder builder = new HttpServer.Builder().withPort(port) .withHandler(service, getSerialization(getConf())); - // Enable SPNEGO and Impersonation when using Kerberos + // Enable client auth when using Kerberos auth for HBase if (isKerberos) { -UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); -LOG.debug("Current user is " + ugi); -if (!ugi.hasKerberosCredentials()) { - ugi = UserGroupInformation.getLoginUser(); - LOG.debug("Current user does not have Kerberos credentials, using instead " + ugi); -} - -// Make sure the proxyuser configuration is up to date -ProxyUsers.refreshSuperUserGroupsConfiguration(getConf()); - -String keytabPath = getConf().get(QueryServices.QUERY_SERVER_KEYTAB_FILENAME_ATTRIB); -File keytab = new File(keytabPath); -String httpKeytabPath = getConf().get(QueryServices.QUERY_SERVER_HTTP_KEYTAB_FILENAME_ATTRIB, null); -String httpPrincipal = getConf().get(QueryServices.QUERY_SERVER_KERBEROS_HTTP_PRINCIPAL_ATTRIB, null); -// Backwards compat for a configuration key change -if (httpPrincipal == null) { - httpPrincipal = getConf().get(QueryServices.QUERY_SERVER_KERBEROS_HTTP_PRINCIPAL_ATTRIB_LEGACY, null); -} -File httpKeytab = null; -if (null != httpKeytabPath) - httpKeytab = new File(httpKeytabPath); - -String realmsString = getConf().get(QueryServices.QUERY_SERVER_KERBEROS_ALLOWED_REALMS, null); -String[] additionalAllowedRealms = null; -if (null != realmsString) { -additionalAllowedRealms = StringUtils.split(realmsString, ','); -} - -// Enable SPNEGO and impersonation (through standard Hadoop configuration means) -if ((null != httpKeytabPath) && (null != httpPrincipal)) - builder.withSpnego(httpPrincipal, additionalAllowedRealms) - .withAutomaticLogin(httpKeytab) - .withImpersonation(new PhoenixDoAsCallback(ugi, getConf())); -else - builder.withSpnego(ugi.getUserName(), additionalAllowedRealms) - .withAutomaticLogin(keytab) - .withImpersonation(new PhoenixDoAsCallback(ugi, getConf())); - - +