You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@phoenix.apache.org by "Josh Elser (JIRA)" <ji...@apache.org> on 2018/12/03 23:39:00 UTC

[jira] [Commented] (PHOENIX-5006) jdbc connection to secure cluster should be able to use Kerberos ticket of user

    [ https://issues.apache.org/jira/browse/PHOENIX-5006?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16707988#comment-16707988 ] 

Josh Elser commented on PHOENIX-5006:
-------------------------------------

[~gsbiju], hey, sorry for the silence. Been a rough month.

I'm looking at the patch you've supplied. This part of the login code is pretty gross and has lots of bad assumptions around it. Abstractly: I think what you're trying to do is good in spirit:
 # Can we tell if security is enabled? We should build the Configuration which was built from site.xml files as well as the JDBC properties.
 # Try to log in if security is enabled.
 ## Log in via princ+keytab from config (again, which pulls from site.xml or the JDBC properties)
 ## Log in via krb5 login module which will pull from the ticket cache by default (this might even be able to dynamically prompt you since we're in a user-interactive context)

I think inverting the logic will help clear a bit of this up. Also, I don't think we need to worry about all of the scariness in 2.1 (figuring out when to re-login if we already have some creentials) applies for 2.2 which simplifies things.

Do you want to try your hand at the above, [~gsbiju], or should I continue? I've just mocked it up a little locally to make sure I liked what I was suggesting.

> jdbc connection to secure cluster should be able to use Kerberos ticket of user
> -------------------------------------------------------------------------------
>
>                 Key: PHOENIX-5006
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-5006
>             Project: Phoenix
>          Issue Type: Bug
>            Reporter: Biju Nair
>            Priority: Minor
>         Attachments: PHOENIX-5006.possiblefix
>
>
> Currently JDBC connection against a secure Phoenix cluster requires a Kerberos principal and keytab to be passed in as part of the connection string. But in many instances users may not have a {{Keytab}} especially during development. It would be good to support using the logged in users Kerberos ticket. 
>   



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)