Support kerberos authentication for Kudu connector#3549
Support kerberos authentication for Kudu connector#3549liyubin117 wants to merge 1 commit intotrinodb:masterfrom
Conversation
|
Thank you for your pull request and welcome to our community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. In order for us to review and merge your code, please submit the signed CLA to cla@prestosql.io. For more information, see https://github.com/prestosql/cla. |
| private boolean disableStatistics; | ||
| private boolean schemaEmulationEnabled; | ||
| private String schemaEmulationPrefix = "presto::"; | ||
| private boolean kerberosAuthEnabled; |
There was a problem hiding this comment.
Can we have this in a separate config file ?
| private final boolean kerberosAuthEnabled; | ||
|
|
||
| public KuduClientSession(KuduClient client, SchemaEmulation schemaEmulation) | ||
| public KuduClientSession(KuduClient client, SchemaEmulation schemaEmulation, boolean kerberosAuthEnabled) |
There was a problem hiding this comment.
Can we have it as a wrap of top of KuduClientSession ?
| builder.defaultSocketReadTimeoutMs(config.getDefaultSocketReadTimeout().toMillis()); | ||
| if (config.isDisableStatistics()) { | ||
| builder.disableStatistics(); | ||
| KuduClient client; |
There was a problem hiding this comment.
Can we have separate module for the kerberos based KuduClient ?
| if (debugEnabled) { | ||
| System.setProperty("sun.security.krb5.debug", "true"); | ||
| } | ||
| UserGroupInformation.setConfiguration(conf); |
There was a problem hiding this comment.
Do we need to add hadoop dependencies ? How about reusing KerberosAuthentication in presto plugiin toolkit ?
kokosing
left a comment
kokosing
left a comment
There was a problem hiding this comment.
Thank you for working on this, this will be a great contribution to Presto.
I left some general comments about implementation and configuration properties (to make in line with other components in Presto that are using KRB).
The biggest challenge is see here is testing. Do you have any idea how to tackle this? I would suggest to you setup product tests that could use https://github.com/prestosql/docker-images/tree/master/prestodev/kerberos. What do you think? I can help you go through this, but please prepare that is not something that can be written over night.
| ## Disable Kudu client's collection of statistics. | ||
| #kudu.client.disable-statistics = false | ||
|
|
||
| ####################### |
There was a problem hiding this comment.
I think this should be a regular subsection.
Same applies to ### Advanced Kudu Java client configuration.
@mosabua Any suggestsions?
|
|
||
| <dependency> | ||
| <groupId>io.prestosql.hadoop</groupId> | ||
| <artifactId>hadoop-apache</artifactId> |
There was a problem hiding this comment.
Do we need entire hadoop dependency for this?
| </dependency> | ||
|
|
||
| <dependency> | ||
| <groupId>io.prestosql.hadoop</groupId> |
There was a problem hiding this comment.
please move it to other compile dependencies.
| return this; | ||
| } | ||
|
|
||
| public boolean isKerberosAuthEnabled() |
There was a problem hiding this comment.
Please add kudu.authentication.type property that accepts KERBEROS or NONE
| return kerberosPrincipal; | ||
| } | ||
|
|
||
| @Config("kudu.kerberos-auth.principal") |
| return kerberosKeytab; | ||
| } | ||
|
|
||
| @Config("kudu.kerberos-auth.keytab") |
| return kerberosAuthDebugEnabled; | ||
| } | ||
|
|
||
| @Config("kudu.kerberos-auth.debug.enabled") |
There was a problem hiding this comment.
Please remove this property. One can add it using jvm.config
| import java.io.IOException; | ||
| import java.security.PrivilegedExceptionAction; | ||
|
|
||
| public class KuduUtil |
There was a problem hiding this comment.
Please use io.prestosql.plugin.base.authentication.KerberosAuthentication and io.prestosql.plugin.base.authentication.CachingKerberosAuthentication
| return kerberosPrincipal; | ||
| } | ||
|
|
||
| @Config("kudu.kerberos-auth.principal") |
There was a problem hiding this comment.
Kerberos related properties should not be allowed to be configures if kudu.authentication.type=NONE. Please see usages how it typically achieved by look at usages of io.airlift.configuration.ConditionalModule#installModuleIf.
|
@kokosing @Praveen2112 Thanks for your review and suggestions! |
|
Any expected ETA for this functionality ? |
|
@sumit-gupta-sgt This feature was just released in Trino 372: |
|
Closing this since it is now obsolete and was merged in #10953 |
6 participants
Add the following configuration to etc/catalog/kudu.properties to enable kerberos authentication:
Fixes #1237