commit 0132bf684966dbffd08bfcd8ede5fc4f31d08ca5
author Lev Bronshtein <lbronshtein@bloomberg.net> Wed Jan 31 22:37:50 2018 -0500
committer Josh Elser <elserj@apache.org> Fri May 25 15:16:41 2018 -0400
tree 5a7db8f069662f4ea38403a41fa68626d275ea4e
parent add7dd05ec343b34f4fe10181450a2b2b068b5ff

PHOENIX-4533 Modified Query Server to use two sets of Kerberos credentials

Signed-off-by: Josh Elser <elserj@apache.org>

phoenix-core/src/main/java/org/apache/phoenix/query/QueryServices.java

diff --git a/phoenix-core/src/main/java/org/apache/phoenix/query/QueryServices.java b/phoenix-core/src/main/java/org/apache/phoenix/query/QueryServices.java
index bbd88f3..5e0a8f1 100644
--- a/phoenix-core/src/main/java/org/apache/phoenix/query/QueryServices.java
+++ b/phoenix-core/src/main/java/org/apache/phoenix/query/QueryServices.java
@@ -237,7 +237,9 @@
     public static final String QUERY_SERVER_ENV_LOGGING_ATTRIB = "phoenix.queryserver.envvars.logging.disabled";
     public static final String QUERY_SERVER_ENV_LOGGING_SKIPWORDS_ATTRIB = "phoenix.queryserver.envvars.logging.skipwords";
     public static final String QUERY_SERVER_KEYTAB_FILENAME_ATTRIB = "phoenix.queryserver.keytab.file";
+    public static final String QUERY_SERVER_HTTP_KEYTAB_FILENAME_ATTRIB = "phoenix.queryserver.http.keytab.file";
     public static final String QUERY_SERVER_KERBEROS_PRINCIPAL_ATTRIB = "phoenix.queryserver.kerberos.principal";
+    public static final String QUERY_SERVER_KERBEROS_HTTP_PRINCIPAL_ATTRIB = "phoenix.queryserver.kerberos.http.principal";
     public static final String QUERY_SERVER_DNS_NAMESERVER_ATTRIB = "phoenix.queryserver.dns.nameserver";
     public static final String QUERY_SERVER_DNS_INTERFACE_ATTRIB = "phoenix.queryserver.dns.interface";
     public static final String QUERY_SERVER_HBASE_SECURITY_CONF_ATTRIB = "hbase.security.authentication";

phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java

diff --git a/phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java b/phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java
index 288e4f5..6b1fcfe 100644
--- a/phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java
+++ b/phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java
@@ -244,6 +244,11 @@
 
         String keytabPath = getConf().get(QueryServices.QUERY_SERVER_KEYTAB_FILENAME_ATTRIB);
         File keytab = new File(keytabPath);
+        String httpKeytabPath = getConf().get(QueryServices.QUERY_SERVER_HTTP_KEYTAB_FILENAME_ATTRIB, null);
+        String httpPrincipal = getConf().get(QueryServices.QUERY_SERVER_KERBEROS_HTTP_PRINCIPAL_ATTRIB, null);
+        File httpKeytab = null;
+        if (null != httpKeytabPath)
+          httpKeytab = new File(httpKeytabPath);
 
         String realmsString = getConf().get(QueryServices.QUERY_SERVER_KERBEROS_ALLOWED_REALMS, null);
         String[] additionalAllowedRealms = null;
@@ -252,9 +257,15 @@
         }
 
         // Enable SPNEGO and impersonation (through standard Hadoop configuration means)
-        builder.withSpnego(ugi.getUserName(), additionalAllowedRealms)
-            .withAutomaticLogin(keytab)
-            .withImpersonation(new PhoenixDoAsCallback(ugi, getConf()));
+        if ((null != httpKeytabPath) && (null != httpPrincipal))
+          builder.withSpnego(httpPrincipal, additionalAllowedRealms)
+              .withAutomaticLogin(httpKeytab)
+              .withImpersonation(new PhoenixDoAsCallback(ugi, getConf()));
+        else
+          builder.withSpnego(ugi.getUserName(), additionalAllowedRealms)
+              .withAutomaticLogin(keytab)
+              .withImpersonation(new PhoenixDoAsCallback(ugi, getConf()));
+
 
       }
       setRemoteUserExtractorIfNecessary(builder, getConf());