Uploaded image for project: 'Calcite'
  1. Calcite
  2. CALCITE-5947

Use existing ticket cache for kerberos login

    XMLWordPrintableJSON

Details

    • New Feature
    • Status: Open
    • Major
    • Resolution: Unresolved
    • avatica-1.23.0
    • None
    • avatica
    • None

    Description

      Avatica currently requires that a kerberos principal and keytab is supplied in the JDBC URL for for connecting to a kerberized PQS.

      This is often sub-optimal solution.

      It would be much more user-friendly, if Avatica could simply use an existing ticket from the ticket cache.

      The algorithm could be something like this:

      • if principal and keytab is supplied in the URL:
        current behaviour
      • If only principal is supplied:
        try to load the ticket for the prinicpal from cache
      • If neither is supplied:
        Use first/default principal in the cache

      Most of the logic could be directly lifted from Phoenix Query Server:

      https://github.com/apache/phoenix-queryserver/blob/master/phoenix-queryserver-client/src/main/java/org/apache/phoenix/queryserver/client/KerberosLoginFromTicketCache.java

      Attachments

        Issue Links

          is related to

          Improvement - An improvement or enhancement to an existing feature or task. CALCITE-1214 Support url-based kerberos login

          • Major - Major loss of function.
          • Closed

          Activity

            People

              Unassigned Unassigned
              stoty Istvan Toth
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated: