-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PHOENIX-5772 Streamline the kerberos logic in thin client java code #20
Conversation
move hbase config parameter processing to python remove hadoop dependency from queryserver-client use shaded avatica client everywhere update sqlline to 1.9 don't shade sqlline + deps into thin client remove unnecessary interdependencies between modules
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like it! Restating what all I see done here to make sure I didn't miss anything:
- Repackage sqlline to bundle all dependencies together
- Update sqlline version
- Use JAAS to do a ticket-cache based login for sqllline-thin
- Provide sqlline-thin python args for principal+keytab, instead of forcing them through the JDBC url.
bin/thin_client_jaas.conf
Outdated
@@ -0,0 +1,5 @@ | |||
ThinClient { | |||
com.sun.security.auth.module.Krb5LoginModule required |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this will break on IBM java. They do something annoying like have Krb5LoginModule in a different package, I think com.ibm.security.auth.module.Krb5LoginModule
.
Also annoying, the semantics on what you options you may/must provide in the configuration block are different between vendors.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think these options are OK...
https://www.ibm.com/support/knowledgecenter/SSYKE2_7.1.0/com.ibm.java.security.api.71.doc/jgss/com/ibm/security/auth/module/Krb5LoginModule.html seems to indicate that it's actually useKeytab
on IBM.
Probably easiest to just acknowledge that we only expect this to work on openjdk/oraclejdk (and maybe azul?). All of those have the exact same JAAS config semantics for krb5, AFAIK.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are right.
I cobbled together a solution without external config file, and with IBM JRE support based on the hadoop minicluster config. It mostly works with IBM JRE now.
Getting the IBM JRE actually talk to a HTTPS server was also fun. (Only old-timers remember the export-only limited cipher brouhaha, that IBM still has)
queryserver-client/src/main/java/org/apache/phoenix/queryserver/client/SqllineWrapper.java
Outdated
Show resolved
Hide resolved
queryserver-client/src/main/java/org/apache/phoenix/queryserver/client/SqllineWrapper.java
Outdated
Show resolved
Hide resolved
Some general notes: We don't repackage sqlline, we just use the pre-packaged uberjar provided by them. You did not spell out exactly in your summary, but the major win here is using the pre-shaded avatcia jar instead of shading ourselves, and omitting hbase, hadoop, and sqlline from the JDBC driver JAR. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for the delay getting back here.
move hbase config parameter processing to python
remove hadoop dependency from queryserver-client
use shaded avatica client everywhere
update sqlline to 1.9
don't shade sqlline + deps into thin client
remove unnecessary interdependencies between modules