accumulo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ctubbsii <...@git.apache.org>
Subject [GitHub] accumulo pull request #274: ACCUMULO-4666 Improve KerberosToken sanity-check...
Date Tue, 27 Jun 2017 22:19:51 GMT
Github user ctubbsii commented on a diff in the pull request:

    https://github.com/apache/accumulo/pull/274#discussion_r124411313
  
    --- Diff: core/src/main/java/org/apache/accumulo/core/client/security/tokens/KerberosToken.java
---
    @@ -48,15 +48,25 @@
       /**
        * Creates a token using the provided principal and the currently logged-in user via
{@link UserGroupInformation}.
        *
    +   * This method expects the current user (as defined by {@link UserGroupInformation#getCurrentUser()}
to be authenticated via Kerberos or as a Proxy (on top of
    +   * another user). An {@link IllegalArgumentException} will be thrown for all other
cases.
    +   *
        * @param principal
        *          The user that is logged in
    +   * @throws IllegalArgumentException
    +   *           If the current user is not authentication via Kerberos or Proxy methods.
    +   * @see UserGroupInformation#getCurrentUser()
    +   * @see UserGroupInformation#getAuthenticationMethod()
        */
       public KerberosToken(String principal) throws IOException {
         this.principal = requireNonNull(principal);
    -    final UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
    -    if (AuthenticationMethod.KERBEROS == ugi.getAuthenticationMethod()) {
    -      checkArgument(ugi.hasKerberosCredentials(), "Subject is not logged in via Kerberos");
    -    }
    +    validateAuthMethod(UserGroupInformation.getCurrentUser().getAuthenticationMethod());
    +  }
    +
    +  static void validateAuthMethod(AuthenticationMethod authMethod) {
    +    // There is also KERBEROS_SSL but that appears to be deprecated/OBE
    +    checkArgument(AuthenticationMethod.KERBEROS == authMethod || AuthenticationMethod.PROXY
== authMethod,
    --- End diff --
    
    Do we no longer care if `ugi.hasKerberosCredentials()` when the case is KERBEROS?
    
    I guess I was kind of expecting this to supplement the verification that the KERBEROS
case was logged in, instead of replace it. But, if that's checked elsewhere (at RPC time?),
then I guess it's fine.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

Mime
View raw message