You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@hawq.apache.org by kavinderd <gi...@git.apache.org> on 2017/01/06 19:58:46 UTC

[GitHub] incubator-hawq pull request #1075: HAWQ-762. Login to kerberos if credential...

GitHub user kavinderd opened a pull request:

    https://github.com/apache/incubator-hawq/pull/1075

    HAWQ-762. Login to kerberos if credentials are no longer valid

    

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/kavinderd/incubator-hawq HAWQ-762

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/incubator-hawq/pull/1075.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #1075
    
----
commit b6f8a9a0c4c1e9b6f85971f8dfe2e32bed6a6c45
Author: Kavinder Dhaliwal <ka...@gmail.com>
Date:   2017-01-06T19:56:29Z

    HAWQ-762. Login to kerberos if credentials are no longer valid

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-hawq pull request #1075: HAWQ-762. Login to kerberos if credential...

Posted by sansanichfb <gi...@git.apache.org>.

Github user sansanichfb commented on a diff in the pull request:

    https://github.com/apache/incubator-hawq/pull/1075#discussion_r95009848
  
    --- Diff: pxf/pxf-service/src/main/java/org/apache/hawq/pxf/service/utilities/SecuredHDFS.java ---
    @@ -53,6 +53,10 @@
         public static void verifyToken(ProtocolData protData, ServletContext context) {
             try {
                 if (UserGroupInformation.isSecurityEnabled()) {
    +                UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
    +                if (!loginUser.hasKerberosCredentials()) {
    --- End diff --
    
    Any chance that loginUser might be null?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-hawq pull request #1075: HAWQ-762. Login to kerberos if credential...

Posted by kavinderd <gi...@git.apache.org>.

Github user kavinderd closed the pull request at:

    https://github.com/apache/incubator-hawq/pull/1075


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-hawq pull request #1075: HAWQ-762. Login to kerberos if credential...

Posted by kavinderd <gi...@git.apache.org>.

Github user kavinderd commented on a diff in the pull request:

    https://github.com/apache/incubator-hawq/pull/1075#discussion_r95034235
  
    --- Diff: pxf/pxf-service/src/main/java/org/apache/hawq/pxf/service/utilities/SecuredHDFS.java ---
    @@ -53,6 +53,10 @@
         public static void verifyToken(ProtocolData protData, ServletContext context) {
             try {
                 if (UserGroupInformation.isSecurityEnabled()) {
    +                UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
    +                if (!loginUser.hasKerberosCredentials()) {
    +                    SecureLogin.login();
    --- End diff --
    
    Instead of `SecureLogin` we can just directly use `UserGroupInformation.getLoginUser().reloginFromKeytab()` seems more lightweight since it leverages all the kerberos information that's already in memory


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-hawq pull request #1075: HAWQ-762. Login to kerberos if credential...

Posted by kavinderd <gi...@git.apache.org>.

Github user kavinderd commented on a diff in the pull request:

    https://github.com/apache/incubator-hawq/pull/1075#discussion_r95010426
  
    --- Diff: pxf/pxf-service/src/main/java/org/apache/hawq/pxf/service/utilities/SecuredHDFS.java ---
    @@ -53,6 +53,10 @@
         public static void verifyToken(ProtocolData protData, ServletContext context) {
             try {
                 if (UserGroupInformation.isSecurityEnabled()) {
    +                UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
    +                if (!loginUser.hasKerberosCredentials()) {
    --- End diff --
    
    I don't think so if we pass the above check `UserGroupInformation.isSecurityEnabled()` but I can add a null check to be safe


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-hawq pull request #1075: HAWQ-762. Login to kerberos if credential...

Posted by shivzone <gi...@git.apache.org>.

Github user shivzone commented on a diff in the pull request:

    https://github.com/apache/incubator-hawq/pull/1075#discussion_r95014877
  
    --- Diff: pxf/pxf-service/src/main/java/org/apache/hawq/pxf/service/utilities/SecuredHDFS.java ---
    @@ -53,6 +53,10 @@
         public static void verifyToken(ProtocolData protData, ServletContext context) {
             try {
                 if (UserGroupInformation.isSecurityEnabled()) {
    +                UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
    +                if (!loginUser.hasKerberosCredentials()) {
    +                    SecureLogin.login();
    --- End diff --
    
    We should definitely avoid invoking login() during every rest api request. SecureUtil.login invokes Configuration.addResource to load pxf-site.xml which is quite expensive. We should definitely move this to a background thread or have a different means of checking if verifyToken fails and try login


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---