Google Git
Sign in
apache / phoenix-omid / 70f3ca6a8d00a87105f13d263498adf30379908a^! / .
commit70f3ca6a8d00a87105f13d263498adf30379908a[log] [tgz]
authorIstvan Toth <stoty@apache.org>Tue Feb 23 21:29:06 2021 +0100
committerIstvan Toth <stoty@apache.org>Wed Feb 24 07:31:17 2021 +0100
tree00105e811f8d835231975bd92d6fb423efb5b7c0
parent392056f4062dc5669b5d6c6efa0be1da980277fc [diff]
OMID-199 Omid client cannot use pre-authenticated UserGroupInformation.getCurrentUser()

diff --git a/hbase-common/src/main/java/org/apache/omid/tools/hbase/HBaseLogin.java b/hbase-common/src/main/java/org/apache/omid/tools/hbase/HBaseLogin.java
index 0241fc0..3e5d197 100644
--- a/hbase-common/src/main/java/org/apache/omid/tools/hbase/HBaseLogin.java
+++ b/hbase-common/src/main/java/org/apache/omid/tools/hbase/HBaseLogin.java

@@ -43,10 +43,12 @@
     @Nullable
     public static UserGroupInformation loginIfNeeded(SecureHBaseConfig config, Configuration hbaseConf) throws IOException {
         boolean credsProvided = null != config.getPrincipal() && null != config.getKeytab();
-        if (UserGroupInformation.isSecurityEnabled() && credsProvided) {
+        if (UserGroupInformation.isSecurityEnabled()) {
             // Check if we need to authenticate with kerberos so that we cache the correct ConnectionInfo
             UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
-            if (!currentUser.hasKerberosCredentials() || !isSameName(currentUser.getUserName(), config.getPrincipal())) {
+            if (credsProvided
+                    && (!currentUser.hasKerberosCredentials()
+                            || !isSameName(currentUser.getUserName(), config.getPrincipal()))) {
                 synchronized (KERBEROS_LOGIN_LOCK) {
                     // Double check the current user, might have changed since we checked last. Don't want
                     // to re-login if it's the same user.
@@ -63,11 +65,13 @@
                     }
                 }
             } else {
-                // The user already has Kerberos creds, so there isn't anything to change in the ConnectionInfo.
-                LOG.debug("Already logged in as {}", currentUser);
+                if (currentUser.hasKerberosCredentials()) {
+                    // The user already has Kerberos creds, so there isn't anything to change in the ConnectionInfo.
+                    LOG.debug("Already logged in as {}", currentUser);
+                } else {
+                    LOG.warn("Security enabled but not logged in, and did not provide credentials. NULL UGI returned");
+                }
             }
-        } else {
-            LOG.warn("Security NOT enabled when connecting to HBase. Act at your own risk. NULL UGI returned");
         }
         return ugi;
     }

diff --git a/hbase-common/src/main/java/org/apache/omid/tools/hbase/SecureHBaseConfig.java b/hbase-common/src/main/java/org/apache/omid/tools/hbase/SecureHBaseConfig.java
index 3d14e0f..c43260a 100644
--- a/hbase-common/src/main/java/org/apache/omid/tools/hbase/SecureHBaseConfig.java
+++ b/hbase-common/src/main/java/org/apache/omid/tools/hbase/SecureHBaseConfig.java

@@ -25,8 +25,8 @@
     public static final String HBASE_CLIENT_PRINCIPAL_KEY = "hbase.client.principal";
     public static final String HBASE_CLIENT_KEYTAB_KEY = "hbase.client.keytab";
 
-    private String principal = "not set";
-    private String keytab = "not set";
+    private String principal;
+    private String keytab;
 
     // ----------------------------------------------------------------------------------------------------------------
     // WARNING: Do not remove getters/setters, needed by snake_yaml!