New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KNOX-2315 - Fix zookeeper Kerberos Auth #304
KNOX-2315 - Fix zookeeper Kerberos Auth #304
Conversation
...n/java/org/apache/knox/gateway/service/config/remote/config/RemoteConfigurationRegistry.java
Show resolved
Hide resolved
...rc/main/java/org/apache/knox/gateway/services/security/impl/ZookeeperRemoteAliasService.java
Outdated
Show resolved
Hide resolved
...fig/src/main/java/org/apache/knox/gateway/service/config/remote/zk/CuratorClientService.java
Outdated
Show resolved
Hide resolved
@@ -124,7 +125,14 @@ private RemoteConfigurationRegistryClient createClient(RemoteConfigurationRegist | |||
ACLProvider aclProvider; | |||
if (config.isSecureRegistry()) { | |||
configureSasl(config); | |||
aclProvider = new SASLOwnerACLProvider(); | |||
if (!StringUtils.isBlank(config.getAuthType()) && config |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You've defined a method authenticationType(). Why not use that here? Could also have a utility method isKerberosAuth(final String authType) that performs this evaluation. There is nearly identical logic in ZookeeperRemoteAliasService
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, agreed that would make things simpler and easier to read as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
authenticationType()
method is defined in the private class ClientAdapter
so we can't use it. That is also the reason that reusing this code is tricky.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was thinking you can define a static method in a class that is accessible to all that need to reference it, which takes a String (the authenticationType() result). Something in the gateway-spi module ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It actually may be easier to simply change it to AUTH_TYPE_KERBEROS.equalsIgnoreCase(config.getAuthType()), which would handle the blank or null value check too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Interesting, I did not know equalsIgnoreCase() is null safe, learnt something today :)
...rc/main/java/org/apache/knox/gateway/services/security/impl/ZookeeperRemoteAliasService.java
Outdated
Show resolved
Hide resolved
.../org/apache/knox/gateway/service/config/remote/zk/RemoteConfigurationRegistryJAASConfig.java
Show resolved
Hide resolved
340b732
to
19e4ebc
Compare
19e4ebc
to
5287838
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
What changes were proposed in this pull request?
This PR fixes issues with Zookeeper Kerberos authentication. This PR contains following changes.
How was this patch tested?
This patch was locally tested on a secure cluster with Kerberos authentication between Knox and Zookeeper.