accumulo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From joshelser <>
Subject [GitHub] accumulo pull request #274: ACCUMULO-4666 Improve KerberosToken sanity-check...
Date Tue, 27 Jun 2017 22:23:28 GMT
Github user joshelser commented on a diff in the pull request:
    --- Diff: core/src/main/java/org/apache/accumulo/core/client/security/tokens/
    @@ -48,15 +48,25 @@
        * Creates a token using the provided principal and the currently logged-in user via
{@link UserGroupInformation}.
    +   * This method expects the current user (as defined by {@link UserGroupInformation#getCurrentUser()}
to be authenticated via Kerberos or as a Proxy (on top of
    +   * another user). An {@link IllegalArgumentException} will be thrown for all other
    +   *
        * @param principal
        *          The user that is logged in
    +   * @throws IllegalArgumentException
    +   *           If the current user is not authentication via Kerberos or Proxy methods.
    +   * @see UserGroupInformation#getCurrentUser()
    +   * @see UserGroupInformation#getAuthenticationMethod()
       public KerberosToken(String principal) throws IOException {
         this.principal = requireNonNull(principal);
    -    final UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
    -    if (AuthenticationMethod.KERBEROS == ugi.getAuthenticationMethod()) {
    -      checkArgument(ugi.hasKerberosCredentials(), "Subject is not logged in via Kerberos");
    -    }
    +    validateAuthMethod(UserGroupInformation.getCurrentUser().getAuthenticationMethod());
    +  }
    +  static void validateAuthMethod(AuthenticationMethod authMethod) {
    +    // There is also KERBEROS_SSL but that appears to be deprecated/OBE
    +    checkArgument(AuthenticationMethod.KERBEROS == authMethod || AuthenticationMethod.PROXY
== authMethod,
    --- End diff --
    > Do we no longer care if ugi.hasKerberosCredentials() when the case is KERBEROS?
    IMO, that's out of scope for what we should care about in Accumulo. I don't recall having
a reason to actually check `hasKerberosCredentials()` -- the `AuthenticationMethod` is treated
as sufficient in other projects I've seen using UGI.
    > But, if that's checked elsewhere (at RPC time?), then I guess it's fine.
    And yes, this is only trying to preemptively catch scenarios that we "know" will fail.
I'm just worried about being overly aggressive in trying to catch things that we only "think"
might fail (e.g. ACCUMULO-4665).

If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at or file a JIRA ticket
with INFRA.

View raw message