You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@phoenix.apache.org by "Josh Elser (JIRA)" <ji...@apache.org> on 2018/12/03 23:39:00 UTC
[jira] [Commented] (PHOENIX-5006) jdbc connection to secure cluster
should be able to use Kerberos ticket of user
[ https://issues.apache.org/jira/browse/PHOENIX-5006?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16707988#comment-16707988 ]
Josh Elser commented on PHOENIX-5006:
-------------------------------------
[~gsbiju], hey, sorry for the silence. Been a rough month.
I'm looking at the patch you've supplied. This part of the login code is pretty gross and has lots of bad assumptions around it. Abstractly: I think what you're trying to do is good in spirit:
# Can we tell if security is enabled? We should build the Configuration which was built from site.xml files as well as the JDBC properties.
# Try to log in if security is enabled.
## Log in via princ+keytab from config (again, which pulls from site.xml or the JDBC properties)
## Log in via krb5 login module which will pull from the ticket cache by default (this might even be able to dynamically prompt you since we're in a user-interactive context)
I think inverting the logic will help clear a bit of this up. Also, I don't think we need to worry about all of the scariness in 2.1 (figuring out when to re-login if we already have some creentials) applies for 2.2 which simplifies things.
Do you want to try your hand at the above, [~gsbiju], or should I continue? I've just mocked it up a little locally to make sure I liked what I was suggesting.
> jdbc connection to secure cluster should be able to use Kerberos ticket of user
> -------------------------------------------------------------------------------
>
> Key: PHOENIX-5006
> URL: https://issues.apache.org/jira/browse/PHOENIX-5006
> Project: Phoenix
> Issue Type: Bug
> Reporter: Biju Nair
> Priority: Minor
> Attachments: PHOENIX-5006.possiblefix
>
>
> Currently JDBC connection against a secure Phoenix cluster requires a Kerberos principal and keytab to be passed in as part of the connection string. But in many instances users may not have a {{Keytab}} especially during development. It would be good to support using the logged in users Kerberos ticket.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)