[GitHub] accumulo pull request #274: ACCUMULO-4666 Improve KerberosToken sanity-check...

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[GitHub] accumulo pull request #274: ACCUMULO-4666 Improve KerberosToken sanity-check...

ctubbsii
GitHub user joshelser opened a pull request:

    https://github.com/apache/accumulo/pull/274

    ACCUMULO-4666 Improve KerberosToken sanity-checks and related doc

   

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/joshelser/accumulo 4666-kt-cleanup

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/accumulo/pull/274.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #274
   
----
commit 3d552ea41cf70b46370a3a1e05b53ce511a144a6
Author: Josh Elser <[hidden email]>
Date:   2017-06-27T16:47:32Z

    ACCUMULO-4666 Improve KerberosToken sanity-checks and related doc

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[GitHub] accumulo issue #274: ACCUMULO-4666 Improve KerberosToken sanity-checks and r...

ctubbsii
Github user joshelser commented on the issue:

    https://github.com/apache/accumulo/pull/274
 
    @ctubbsii care to take a look before I merge this in?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[GitHub] accumulo pull request #274: ACCUMULO-4666 Improve KerberosToken sanity-check...

ctubbsii
In reply to this post by ctubbsii
Github user asfgit closed the pull request at:

    https://github.com/apache/accumulo/pull/274


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[GitHub] accumulo pull request #274: ACCUMULO-4666 Improve KerberosToken sanity-check...

ctubbsii
In reply to this post by ctubbsii
Github user ctubbsii commented on a diff in the pull request:

    https://github.com/apache/accumulo/pull/274#discussion_r124411313
 
    --- Diff: core/src/main/java/org/apache/accumulo/core/client/security/tokens/KerberosToken.java ---
    @@ -48,15 +48,25 @@
       /**
        * Creates a token using the provided principal and the currently logged-in user via {@link UserGroupInformation}.
        *
    +   * This method expects the current user (as defined by {@link UserGroupInformation#getCurrentUser()} to be authenticated via Kerberos or as a Proxy (on top of
    +   * another user). An {@link IllegalArgumentException} will be thrown for all other cases.
    +   *
        * @param principal
        *          The user that is logged in
    +   * @throws IllegalArgumentException
    +   *           If the current user is not authentication via Kerberos or Proxy methods.
    +   * @see UserGroupInformation#getCurrentUser()
    +   * @see UserGroupInformation#getAuthenticationMethod()
        */
       public KerberosToken(String principal) throws IOException {
         this.principal = requireNonNull(principal);
    -    final UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
    -    if (AuthenticationMethod.KERBEROS == ugi.getAuthenticationMethod()) {
    -      checkArgument(ugi.hasKerberosCredentials(), "Subject is not logged in via Kerberos");
    -    }
    +    validateAuthMethod(UserGroupInformation.getCurrentUser().getAuthenticationMethod());
    +  }
    +
    +  static void validateAuthMethod(AuthenticationMethod authMethod) {
    +    // There is also KERBEROS_SSL but that appears to be deprecated/OBE
    +    checkArgument(AuthenticationMethod.KERBEROS == authMethod || AuthenticationMethod.PROXY == authMethod,
    --- End diff --
   
    Do we no longer care if `ugi.hasKerberosCredentials()` when the case is KERBEROS?
   
    I guess I was kind of expecting this to supplement the verification that the KERBEROS case was logged in, instead of replace it. But, if that's checked elsewhere (at RPC time?), then I guess it's fine.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[GitHub] accumulo pull request #274: ACCUMULO-4666 Improve KerberosToken sanity-check...

ctubbsii
In reply to this post by ctubbsii
Github user joshelser commented on a diff in the pull request:

    https://github.com/apache/accumulo/pull/274#discussion_r124411917
 
    --- Diff: core/src/main/java/org/apache/accumulo/core/client/security/tokens/KerberosToken.java ---
    @@ -48,15 +48,25 @@
       /**
        * Creates a token using the provided principal and the currently logged-in user via {@link UserGroupInformation}.
        *
    +   * This method expects the current user (as defined by {@link UserGroupInformation#getCurrentUser()} to be authenticated via Kerberos or as a Proxy (on top of
    +   * another user). An {@link IllegalArgumentException} will be thrown for all other cases.
    +   *
        * @param principal
        *          The user that is logged in
    +   * @throws IllegalArgumentException
    +   *           If the current user is not authentication via Kerberos or Proxy methods.
    +   * @see UserGroupInformation#getCurrentUser()
    +   * @see UserGroupInformation#getAuthenticationMethod()
        */
       public KerberosToken(String principal) throws IOException {
         this.principal = requireNonNull(principal);
    -    final UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
    -    if (AuthenticationMethod.KERBEROS == ugi.getAuthenticationMethod()) {
    -      checkArgument(ugi.hasKerberosCredentials(), "Subject is not logged in via Kerberos");
    -    }
    +    validateAuthMethod(UserGroupInformation.getCurrentUser().getAuthenticationMethod());
    +  }
    +
    +  static void validateAuthMethod(AuthenticationMethod authMethod) {
    +    // There is also KERBEROS_SSL but that appears to be deprecated/OBE
    +    checkArgument(AuthenticationMethod.KERBEROS == authMethod || AuthenticationMethod.PROXY == authMethod,
    --- End diff --
   
    > Do we no longer care if ugi.hasKerberosCredentials() when the case is KERBEROS?
   
    IMO, that's out of scope for what we should care about in Accumulo. I don't recall having a reason to actually check `hasKerberosCredentials()` -- the `AuthenticationMethod` is treated as sufficient in other projects I've seen using UGI.
   
    > But, if that's checked elsewhere (at RPC time?), then I guess it's fine.
   
    And yes, this is only trying to preemptively catch scenarios that we "know" will fail. I'm just worried about being overly aggressive in trying to catch things that we only "think" might fail (e.g. ACCUMULO-4665).


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[GitHub] accumulo pull request #274: ACCUMULO-4666 Improve KerberosToken sanity-check...

ctubbsii
In reply to this post by ctubbsii
Github user ctubbsii commented on a diff in the pull request:

    https://github.com/apache/accumulo/pull/274#discussion_r124412629
 
    --- Diff: core/src/main/java/org/apache/accumulo/core/client/security/tokens/KerberosToken.java ---
    @@ -48,15 +48,25 @@
       /**
        * Creates a token using the provided principal and the currently logged-in user via {@link UserGroupInformation}.
        *
    +   * This method expects the current user (as defined by {@link UserGroupInformation#getCurrentUser()} to be authenticated via Kerberos or as a Proxy (on top of
    +   * another user). An {@link IllegalArgumentException} will be thrown for all other cases.
    +   *
        * @param principal
        *          The user that is logged in
    +   * @throws IllegalArgumentException
    +   *           If the current user is not authentication via Kerberos or Proxy methods.
    +   * @see UserGroupInformation#getCurrentUser()
    +   * @see UserGroupInformation#getAuthenticationMethod()
        */
       public KerberosToken(String principal) throws IOException {
         this.principal = requireNonNull(principal);
    -    final UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
    -    if (AuthenticationMethod.KERBEROS == ugi.getAuthenticationMethod()) {
    -      checkArgument(ugi.hasKerberosCredentials(), "Subject is not logged in via Kerberos");
    -    }
    +    validateAuthMethod(UserGroupInformation.getCurrentUser().getAuthenticationMethod());
    +  }
    +
    +  static void validateAuthMethod(AuthenticationMethod authMethod) {
    +    // There is also KERBEROS_SSL but that appears to be deprecated/OBE
    +    checkArgument(AuthenticationMethod.KERBEROS == authMethod || AuthenticationMethod.PROXY == authMethod,
    --- End diff --
   
    Gotcha. Just wanted to make sure.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [hidden email] or file a JIRA ticket
with INFRA.
---
Loading...