phoenix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Josh Elser (JIRA)" <>
Subject [jira] [Commented] (PHOENIX-4749) Support impersonation without SPNEGO authn via PQS with Kerberized HBase
Date Fri, 25 May 2018 15:43:00 GMT


Josh Elser commented on PHOENIX-4749:

[~alexaraujo], how are you going to determine what the username is for impersonation by PQS
if not using SPNEGO? The default RemoteUserExtractor implementation provided in the same class
which pulls from an HTTP parameter? This is more of a documentation issue we'll need to get
better at.

In {{configureClientAuthentication}}, I'd suggest you put all of keytab and principal information
into the {{if (!disableSpnego)}} block as it's not used otherwise. e.g. all of the following:
    String keytabPath = getConf().get(QueryServices.QUERY_SERVER_KEYTAB_FILENAME_ATTRIB);
    File keytab = new File(keytabPath);
    String httpKeytabPath = getConf().get(QueryServices.QUERY_SERVER_HTTP_KEYTAB_FILENAME_ATTRIB,
    String httpPrincipal = getConf().get(QueryServices.QUERY_SERVER_KERBEROS_HTTP_PRINCIPAL_ATTRIB,
    // Backwards compat for a configuration key change
    if (httpPrincipal == null) {
      httpPrincipal = getConf().get(QueryServices.QUERY_SERVER_KERBEROS_HTTP_PRINCIPAL_ATTRIB_LEGACY,
    File httpKeytab = null;
    if (null != httpKeytabPath)
      httpKeytab = new File(httpKeytabPath);

    String realmsString = getConf().get(QueryServices.QUERY_SERVER_KERBEROS_ALLOWED_REALMS,
    String[] additionalAllowedRealms = null;
    if (null != realmsString) {
      additionalAllowedRealms = StringUtils.split(realmsString, ',');

And in the new test class, can you make sure both test methods validate that {{builder.withImpersonation(..)}}
is called, please?

Otherwise seems OK if tests are passing.

> Support impersonation without SPNEGO authn via PQS with Kerberized HBase
> ------------------------------------------------------------------------
>                 Key: PHOENIX-4749
>                 URL:
>             Project: Phoenix
>          Issue Type: Improvement
>            Reporter: Alex Araujo
>            Assignee: Alex Araujo
>            Priority: Major
>             Fix For: 4.14.0, 5.0.0
>         Attachments: PHOENIX-4749.patch
> Phoenix Query Server only supports SPNEGO auth (Kerberos) with impersonation.
> Allow other authentication methods to be used with impersonation.

This message was sent by Atlassian JIRA

View raw message