phoenix-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Josh Elser (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (PHOENIX-5006) jdbc connection to secure cluster should be able to use Kerberos ticket of user
Date Mon, 03 Dec 2018 23:39:00 GMT

    [ https://issues.apache.org/jira/browse/PHOENIX-5006?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16707988#comment-16707988
] 

Josh Elser commented on PHOENIX-5006:
-------------------------------------

[~gsbiju], hey, sorry for the silence. Been a rough month.

I'm looking at the patch you've supplied. This part of the login code is pretty gross and
has lots of bad assumptions around it. Abstractly: I think what you're trying to do is good
in spirit:
 # Can we tell if security is enabled? We should build the Configuration which was built from
site.xml files as well as the JDBC properties.
 # Try to log in if security is enabled.
 ## Log in via princ+keytab from config (again, which pulls from site.xml or the JDBC properties)
 ## Log in via krb5 login module which will pull from the ticket cache by default (this might
even be able to dynamically prompt you since we're in a user-interactive context)

I think inverting the logic will help clear a bit of this up. Also, I don't think we need
to worry about all of the scariness in 2.1 (figuring out when to re-login if we already have
some creentials) applies for 2.2 which simplifies things.

Do you want to try your hand at the above, [~gsbiju], or should I continue? I've just mocked
it up a little locally to make sure I liked what I was suggesting.

> jdbc connection to secure cluster should be able to use Kerberos ticket of user
> -------------------------------------------------------------------------------
>
>                 Key: PHOENIX-5006
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-5006
>             Project: Phoenix
>          Issue Type: Bug
>            Reporter: Biju Nair
>            Priority: Minor
>         Attachments: PHOENIX-5006.possiblefix
>
>
> Currently JDBC connection against a secure Phoenix cluster requires a Kerberos principal
and keytab to be passed in as part of the connection string. But in many instances users may
not have a {{Keytab}} especially during development. It would be good to support using the
logged in users Kerberos ticket. 
>   



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message