You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hbase.apache.org by zg...@apache.org on 2019/06/11 03:35:46 UTC

[hbase] 01/02: Revert "HBASE-22116 Added keytab and principal support for HttpDoAsClient."

This is an automated email from the ASF dual-hosted git repository.

zghao pushed a commit to branch branch-2.2
in repository https://gitbox.apache.org/repos/asf/hbase.git

commit 4d8ff6055573a917e1eefe501bce87f529e7b4ad
Author: Guanghao Zhang <zg...@apache.org>
AuthorDate: Tue Jun 11 10:28:05 2019 +0800

    Revert "HBASE-22116 Added keytab and principal support for HttpDoAsClient."
    
    This reverts commit 16425bd7bbd8d71bba898338051c312adebc81da.
---
 .../apache/hadoop/hbase/thrift/HttpDoAsClient.java | 105 ++++++---------------
 1 file changed, 27 insertions(+), 78 deletions(-)

diff --git a/hbase-examples/src/main/java/org/apache/hadoop/hbase/thrift/HttpDoAsClient.java b/hbase-examples/src/main/java/org/apache/hadoop/hbase/thrift/HttpDoAsClient.java
index 59890ce..f4cb616 100644
--- a/hbase-examples/src/main/java/org/apache/hadoop/hbase/thrift/HttpDoAsClient.java
+++ b/hbase-examples/src/main/java/org/apache/hadoop/hbase/thrift/HttpDoAsClient.java
@@ -18,25 +18,20 @@
  */
 package org.apache.hadoop.hbase.thrift;
 
-import java.io.File;
 import java.io.UnsupportedEncodingException;
 import java.nio.ByteBuffer;
 import java.nio.charset.CharacterCodingException;
 import java.nio.charset.Charset;
 import java.nio.charset.CharsetDecoder;
-import java.security.Principal;
 import java.security.PrivilegedExceptionAction;
 import java.util.ArrayList;
 import java.util.Base64;
 import java.util.HashMap;
-import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
-import java.util.Set;
 import java.util.SortedMap;
 import java.util.TreeMap;
 import javax.security.auth.Subject;
-import javax.security.auth.kerberos.KerberosPrincipal;
 import javax.security.auth.login.AppConfigurationEntry;
 import javax.security.auth.login.Configuration;
 import javax.security.auth.login.LoginContext;
@@ -71,13 +66,11 @@ public class HttpDoAsClient {
   private static boolean secure = false;
   static protected String doAsUser = null;
   static protected String principal = null;
-  static protected String keyTab = null;
 
   public static void main(String[] args) throws Exception {
-    if (args.length < 3 || args.length > 6) {
+    if (args.length < 3 || args.length > 4) {
       System.out.println("Invalid arguments!");
-      System.out.println(
-          "Usage: HttpDoAsClient host port doAsUserName [security=true] [principal] [keytab]");
+      System.out.println("Usage: HttpDoAsClient host port doAsUserName [security=true]");
       System.exit(-1);
     }
 
@@ -86,16 +79,7 @@ public class HttpDoAsClient {
     doAsUser = args[2];
     if (args.length > 3) {
       secure = Boolean.parseBoolean(args[3]);
-      if (args.length > 4) {
-        principal = args[4];
-        keyTab = args[5];
-        if (!new File(keyTab).exists()) {
-          System.err.printf("ERROR: KeyTab File %s not found %n", keyTab);
-          System.exit(-1);
-        }
-      } else {
-        principal = getSubject().getPrincipals().iterator().next().getName();
-      }
+      principal = getSubject().getPrincipals().iterator().next().getName();
     }
 
     final HttpDoAsClient client = new HttpDoAsClient();
@@ -271,66 +255,31 @@ public class HttpDoAsClient {
      * To authenticate the DemoClient, kinit should be invoked ahead.
      * Here we try to get the Kerberos credential from the ticket cache.
      */
-    LoginContext context;
-
-    if (keyTab != null) {
-      // To authenticate the HttpDoAsClient using principal and keyTab
-      Set<Principal> principals = new HashSet<>();
-      principals.add(new KerberosPrincipal(principal));
-      Subject subject =
-          new Subject(false, principals, new HashSet<>(), new HashSet<>());
-
-      context = new LoginContext("", subject, null, new KerberosConfiguration(principal, keyTab));
-    } else {
-      /*
-       * To authenticate the HttpDoAsClient, kinit should be invoked ahead. Here we try to
-       * get the Kerberos credential from the ticket cache.
-       */
-      context = new LoginContext("", new Subject(), null, new KerberosConfiguration());
-    }
+    LoginContext context = new LoginContext("", new Subject(), null,
+        new Configuration() {
+          @Override
+          public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
+            Map<String, String> options = new HashMap<>();
+            options.put("useKeyTab", "false");
+            options.put("storeKey", "false");
+            options.put("doNotPrompt", "true");
+            options.put("useTicketCache", "true");
+            options.put("renewTGT", "true");
+            options.put("refreshKrb5Config", "true");
+            options.put("isInitiator", "true");
+            String ticketCache = System.getenv("KRB5CCNAME");
+            if (ticketCache != null) {
+              options.put("ticketCache", ticketCache);
+            }
+            options.put("debug", "true");
+
+            return new AppConfigurationEntry[]{
+              new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
+                            AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
+                            options)};
+          }
+        });
     context.login();
     return context.getSubject();
   }
-
-  private static class KerberosConfiguration extends Configuration {
-    private String principal;
-    private String keyTab;
-
-    public KerberosConfiguration() {
-      // Empty constructor will have no principal or keyTab values
-    }
-
-    public KerberosConfiguration(String principal, String keyTab) {
-      this.principal = principal;
-      this.keyTab = keyTab;
-    }
-
-    @Override
-    public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
-      Map<String, String> options = new HashMap<>();
-      if (principal != null && keyTab != null) {
-        options.put("principal", principal);
-        options.put("keyTab", keyTab);
-        options.put("useKeyTab", "true");
-        options.put("storeKey", "true");
-      } else {
-        options.put("useKeyTab", "false");
-        options.put("storeKey", "false");
-      }
-      options.put("doNotPrompt", "true");
-      options.put("useTicketCache", "true");
-      options.put("renewTGT", "true");
-      options.put("refreshKrb5Config", "true");
-      options.put("isInitiator", "true");
-      String ticketCache = System.getenv("KRB5CCNAME");
-      if (ticketCache != null) {
-        options.put("ticketCache", ticketCache);
-      }
-      options.put("debug", "true");
-
-      return new AppConfigurationEntry[] {
-        new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
-          AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options) };
-    }
-  }
 }