[ZEPPELIN-2698] Apply KerberosInterpreter to JDBCInterpreter #2443
Conversation
|
@felixcheung @zjffdu can you help review this as well? |
|
This PR LGTM. Just one comment on the base class
Which means |
|
@zjffdu sure, that does make sense. |
|
@zjffdu I've made the suggested changes. Let me know if I'm missing something else as well. |
| } | ||
|
|
||
| private String getKerberosRefreshInterval() { | ||
| if (System.getenv("KERBEROS_REFRESH_INTERVAL") == null) { |
There was a problem hiding this comment.
I think we need to add javadoc for KerberosInterpreter.java to explain the internal mechanism of it. So basically I believe user need to do 3 things to extend KerberosInterpreter.
- implement
runKerberosLogin - implement
isKerboseEnabled - define
KERBEROS_REFRESH_INTERVALin interpreter setting. Maybe we could also add abstract method likegetKerborseRefreshIntervalto enforce its sub class to implement it.
There was a problem hiding this comment.
Sure, have added isKerboseEnabled in javadoc.
For KERBEROS_REFRESH_INTERVAL I think all interpreters can share a common its value defined in zeppelin-env.sh (https://github.com/apache/zeppelin/blob/master/conf/zeppelin-env.sh.template#L58-L59) instead of having it at interpreter level, and increasing the complexity (number of lines) of interpreter config.
| protected boolean runKerberosLogin() { | ||
| try { | ||
| UserGroupInformation.AuthenticationMethod authType = JDBCSecurityImpl.getAuthtype(property); | ||
| if (authType.equals(KERBEROS)) { |
There was a problem hiding this comment.
authType is not needed to check as runKerberosLogin would be only called when kerberos is enabled.
There was a problem hiding this comment.
Yes, make sense, removed unnecessary if condition.
| super(property); | ||
| } | ||
|
|
||
| @Override |
There was a problem hiding this comment.
I think we can move createSecureConfiguration from ShellSecurityImpl to ShellInterpreter, then ShellSecurityImpl could be deleted
LAUNCH_KERBEROS_REFRESH_INTERVAL to KERBEROS_REFRESH_INTERVAL
|
LGTM |
|
@zjffdu Thank you for the review. CI is green, will merge if no more discussion. |
### What is this PR for? This is to apply new KerberosInterpreter mechanism to JDBCInterpreter for relogin from keytab, instead of on fail relogin. ### What type of PR is it? [Refactoring] ### What is the Jira issue? * [ZEPPELIN-2698](https://issues.apache.org/jira/browse/ZEPPELIN-2698) ### How should this be tested? In JDBC interpreter setting add following properties - zeppelin.jdbc.auth.type = KERBEROS - zeppelin.jdbc.principal = principal value - zeppelin.jdbc.keytab.location = keytab location Now try and run any of hive's query (say `show tables`) it should return with valid results. Again, wait for this kerberos ticket to expire (usually its 24hrs) then try the above again, and it should work. ### Questions: * Does the licenses files need update? N/A * Is there breaking changes for older versions? N/A * Does this needs documentation? N/A Author: Prabhjyot Singh <[email protected]> Author: prabhjyotsingh <[email protected]> Closes apache#2443 from prabhjyotsingh/ZEPPELIN-2698 and squashes the following commits: 835b4bd [Prabhjyot Singh] check for invalid user input; in case of error fall back to default values a5a54d4 [Prabhjyot Singh] runKerberosLogin block should return false 5823727 [Prabhjyot Singh] change schedule to submit so it runs without wait for the first time. LAUNCH_KERBEROS_REFRESH_INTERVAL to KERBEROS_REFRESH_INTERVAL 7fe883c [Prabhjyot Singh] @zjffdu review comments 7f8b867 [prabhjyotsingh] call `startKerberosLoginThread` and `shutdownExecutorService` in parent class 57ea80c [Prabhjyot Singh] apply KerberosInterpreter to JDBCInterpreter
### What is this PR for? This is to apply new KerberosInterpreter mechanism to JDBCInterpreter for relogin from keytab, instead of on fail relogin. ### What type of PR is it? [Refactoring] ### What is the Jira issue? * [ZEPPELIN-2698](https://issues.apache.org/jira/browse/ZEPPELIN-2698) ### How should this be tested? In JDBC interpreter setting add following properties - zeppelin.jdbc.auth.type = KERBEROS - zeppelin.jdbc.principal = principal value - zeppelin.jdbc.keytab.location = keytab location Now try and run any of hive's query (say `show tables`) it should return with valid results. Again, wait for this kerberos ticket to expire (usually its 24hrs) then try the above again, and it should work. ### Questions: * Does the licenses files need update? N/A * Is there breaking changes for older versions? N/A * Does this needs documentation? N/A Author: Prabhjyot Singh <[email protected]> Author: prabhjyotsingh <[email protected]> Closes apache#2443 from prabhjyotsingh/ZEPPELIN-2698 and squashes the following commits: 835b4bd [Prabhjyot Singh] check for invalid user input; in case of error fall back to default values a5a54d4 [Prabhjyot Singh] runKerberosLogin block should return false 5823727 [Prabhjyot Singh] change schedule to submit so it runs without wait for the first time. LAUNCH_KERBEROS_REFRESH_INTERVAL to KERBEROS_REFRESH_INTERVAL 7fe883c [Prabhjyot Singh] @zjffdu review comments 7f8b867 [prabhjyotsingh] call `startKerberosLoginThread` and `shutdownExecutorService` in parent class 57ea80c [Prabhjyot Singh] apply KerberosInterpreter to JDBCInterpreter
2 participants
What is this PR for?
This is to apply new KerberosInterpreter mechanism to JDBCInterpreter for relogin from keytab, instead of on fail relogin.
What type of PR is it?
[Refactoring]
What is the Jira issue?
How should this be tested?
In JDBC interpreter setting add following properties
Now try and run any of hive's query (say
show tables) it should return with valid results.Again, wait for this kerberos ticket to expire (usually its 24hrs) then try the above again, and it should work.
Questions: