As discussed over in
HBASE-4460, the current approach to ThriftServer authentication (provided in HBASE-4099) will not work in an embedded context, since the region server will already does a login for the process.
We could make the embedded thrift server still run as a separate user, though, by doing something like the following:
- add a User.loginAndReturnUser() variant that delegates to UserGroupInformation.loginUserFromKeytabAndReturnUGI(), then returns a wrapping User instance
- call this method on startup for the embedded thrift server to get the thrift user instance
- use User.runAs() to execute the body of HRegionThriftServer.run() as the logged in thrift user