You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@calcite.apache.org by GitBox <gi...@apache.org> on 2019/10/09 16:47:16 UTC
[GitHub] [calcite-avatica] joshelser commented on a change in pull request
#113: [CALCITE-3384] Support Kerberos-authentication using SPNEGO over HTTPS
joshelser commented on a change in pull request #113: [CALCITE-3384] Support Kerberos-authentication using SPNEGO over HTTPS
URL: https://github.com/apache/calcite-avatica/pull/113#discussion_r333120325
##########
File path: server/src/test/java/org/apache/calcite/avatica/AvaticaSpnegoTest.java
##########
@@ -151,40 +144,57 @@ private static void setupServerUser(File keytabDir) throws KrbException {
@Parameters public static List<Object[]> parameters() throws Exception {
final ArrayList<Object[]> parameters = new ArrayList<>();
+ setupClass();
+
// Start the KDC
setupKdc();
- // Create a LocalService around HSQLDB
- final JdbcMeta jdbcMeta = new JdbcMeta(CONNECTION_SPEC.url,
- CONNECTION_SPEC.username, CONNECTION_SPEC.password);
- final LocalService localService = new LocalService(jdbcMeta);
-
- for (Driver.Serialization serialization : new Driver.Serialization[] {
- Driver.Serialization.JSON, Driver.Serialization.PROTOBUF}) {
- // Build and start the server
- HttpServer httpServer = new HttpServer.Builder()
- .withPort(0)
- .withAutomaticLogin(serverKeytab)
- .withSpnego(SpnegoTestUtil.SERVER_PRINCIPAL, SpnegoTestUtil.REALM)
- .withHandler(localService, serialization)
- .build();
- httpServer.start();
- SERVERS_TO_STOP.add(httpServer);
-
- final String url = "jdbc:avatica:remote:url=http://" + SpnegoTestUtil.KDC_HOST + ":"
- + httpServer.getPort() + ";authentication=SPNEGO;serialization=" + serialization;
- LOG.info("JDBC URL {}", url);
-
- parameters.add(new Object[] {url});
+ for (boolean tls : new Boolean[] {false, true}) {
+ for (Driver.Serialization serialization : new Driver.Serialization[] {
+ Driver.Serialization.JSON, Driver.Serialization.PROTOBUF}) {
+ if (tls && System.getProperty("java.vendor").contains("IBM")) {
+ // Skip TLS testing on IBM Java due the combination of:
+ // - Jetty 9.4.12+ ignores SSL_* ciphers due to security - eclipse/jetty.project#2807
+ // - IBM uses SSL_* cipher names for ALL ciphers not following RFC cipher names
+ // See eclipse/jetty.project#2807 for details
+ LOG.info("Skipping HTTPS test on IBM Java");
+ parameters.add(new Object[] {null});
+ continue;
+ }
+
+ // Build and start the server
+ HttpServer.Builder httpServerBuilder = new HttpServer.Builder();
+ if (tls) {
+ httpServerBuilder = httpServerBuilder
+ .withTLS(KEYSTORE, KEYSTORE_PASSWORD, KEYSTORE, KEYSTORE_PASSWORD);
+ }
+ HttpServer httpServer = httpServerBuilder
+ .withPort(0)
+ .withAutomaticLogin(serverKeytab)
+ .withSpnego(SpnegoTestUtil.SERVER_PRINCIPAL, SpnegoTestUtil.REALM)
+ .withHandler(localService, serialization)
+ .build();
+ httpServer.start();
+ SERVERS_TO_STOP.add(httpServer);
+
+ String url = "jdbc:avatica:remote:url=" + (tls ? "https://" : "http://")
+ + SpnegoTestUtil.KDC_HOST + ":" + httpServer.getPort()
+ + ";authentication=SPNEGO;serialization=" + serialization;
+ if (tls) {
+ url += ";truststore=" + KEYSTORE.getAbsolutePath()
+ + ";truststore_password=" + KEYSTORE_PASSWORD;
+ }
Review comment:
Can you extend parameterization to both include with and with the truststore and keystore passwords? (to make sure your change up above works)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services