HBASE-30042 Test AuthUtil.loginClient with existing Kerberos login#8002
HBASE-30042 Test AuthUtil.loginClient with existing Kerberos login#8002junegunn merged 2 commits intoapache:masterfrom
Conversation
|
|
||
| @Test | ||
| public void testAuthUtilLogin() throws Exception { | ||
| public void testAuthUtilLoginWithExistingLoginUser() throws Exception { |
There was a problem hiding this comment.
Let's update this test to only cover the case where a Kerberos user is already logged in.
| conf.set(AuthUtil.HBASE_CLIENT_KEYTAB_FILE, clientKeytab); | ||
| conf.set(AuthUtil.HBASE_CLIENT_KERBEROS_PRINCIPAL, clientPrincipal); | ||
| UserGroupInformation.setConfiguration(conf); | ||
| UserGroupInformation.loginUserFromKeytab(clientPrincipal, clientKeytab); |
There was a problem hiding this comment.
Thanks, this issue has been bothering me for a while, and I can confirm this makes the test pass.
However, if we do this, we no longer test if AuthUtil.loginClient actually performs the login for the user. I think we could create a separate user principal, log in as that user, and then test whether AuthUtil.loginClient correctly logs in the original user and returns that user.
There was a problem hiding this comment.
Thank you for your feedback.
I updated my test a bit.
AuthUtil.loginClient has the following branches:
1. No Kerberos credentials (not logged in)
I think this cannot be tested in MiniKdc environment. Even without an explicit login, AuthUtil.loginClient picks up the kinit principal from the ticket cache, which fails with KerberosName$NoMatchingRule because we don't have auth_to_local rules configured. So I just skipped.
2. Kerberos credentials exist (already logged in)
- 2-a. Current login principal matches conf → return as-is (testAuthUtilLoginWithExistingLoginUser)
- 2-b. Mismatch → re-login with the configured principal (testAuthUtilLoginWithDifferentExistingUser)
Both cases are now covered.
2 participants
Jira https://issues.apache.org/jira/browse/HBASE-30042