PHOENIX-5772 Streamline the kerberos logic in thin client java code #20
Conversation
move hbase config parameter processing to python remove hadoop dependency from queryserver-client use shaded avatica client everywhere update sqlline to 1.9 don't shade sqlline + deps into thin client remove unnecessary interdependencies between modules
There was a problem hiding this comment.
I like it! Restating what all I see done here to make sure I didn't miss anything:
- Repackage sqlline to bundle all dependencies together
- Update sqlline version
- Use JAAS to do a ticket-cache based login for sqllline-thin
- Provide sqlline-thin python args for principal+keytab, instead of forcing them through the JDBC url.
bin/thin_client_jaas.conf
Outdated
| @@ -0,0 +1,5 @@ | |||
| ThinClient { | |||
| com.sun.security.auth.module.Krb5LoginModule required | |||
There was a problem hiding this comment.
I think this will break on IBM java. They do something annoying like have Krb5LoginModule in a different package, I think com.ibm.security.auth.module.Krb5LoginModule.
Also annoying, the semantics on what you options you may/must provide in the configuration block are different between vendors.
There was a problem hiding this comment.
I think these options are OK...
https://www.ibm.com/support/knowledgecenter/SSYKE2_7.1.0/com.ibm.java.security.api.71.doc/jgss/com/ibm/security/auth/module/Krb5LoginModule.html seems to indicate that it's actually useKeytab on IBM.
Probably easiest to just acknowledge that we only expect this to work on openjdk/oraclejdk (and maybe azul?). All of those have the exact same JAAS config semantics for krb5, AFAIK.
There was a problem hiding this comment.
You are right.
I cobbled together a solution without external config file, and with IBM JRE support based on the hadoop minicluster config. It mostly works with IBM JRE now.
Getting the IBM JRE actually talk to a HTTPS server was also fun. (Only old-timers remember the export-only limited cipher brouhaha, that IBM still has)
queryserver-client/src/main/java/org/apache/phoenix/queryserver/client/SqllineWrapper.java
Outdated
Show resolved
Hide resolved
queryserver-client/src/main/java/org/apache/phoenix/queryserver/client/SqllineWrapper.java
Outdated
Show resolved
Hide resolved
|
Some general notes: We don't repackage sqlline, we just use the pre-packaged uberjar provided by them. You did not spell out exactly in your summary, but the major win here is using the pre-shaded avatcia jar instead of shading ourselves, and omitting hbase, hadoop, and sqlline from the JDBC driver JAR. |
move hbase config parameter processing to python
remove hadoop dependency from queryserver-client
use shaded avatica client everywhere
update sqlline to 1.9
don't shade sqlline + deps into thin client
remove unnecessary interdependencies between modules