clickhouse-java icon indicating copy to clipboard operation
clickhouse-java copied to clipboard

Published 20 hours ago verified publisher icon ClickHouse

Kerberos auth (http client)

Open maciejmaciejko-gid opened this issue 1 year ago • 10 comments

Summary

Supporting kerberos auth in HTTP client.

Checklist

Delete items not relevant to your PR:

  • [ ] Unit and integration tests covering the common scenarios were added
  • [ ] A human-readable description of the changes was provided to include in CHANGELOG
  • [ ] For significant changes, documentation in https://github.com/ClickHouse/clickhouse-docs was updated with further explanations or tutorials

maciejmaciejko-gid avatar Jan 31 '24 12:01 maciejmaciejko-gid

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Jan 31 '24 12:01 CLAassistant

@maciejmaciejko-gid It's failing. Did you run it locally before?

[INFO] ------------------------------------------------------------------------
Error:  Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.11.0:testCompile (default-testCompile) on project clickhouse-http-client: Compilation failure
Error:  /home/runner/work/clickhouse-java/clickhouse-java/clickhouse-http-client/src/test/java/com/clickhouse/client/http/ClickHouseHttpConnectionTest.java:[3,26] cannot access org.mockito.Mockito
Error:    bad class file: /home/runner/.m2/repository/org/mockito/mockito-core/5.9.0/mockito-core-5.9.0.jar(org/mockito/Mockito.class)
Error:      class file has wrong version 55.0, should be 52.0
Error:      Please remove or make sure it appears in the correct subdirectory of the classpath.
Error:  -> [Help 1]

mzitnik avatar Feb 04 '24 10:02 mzitnik

Can we also run a full integration test for Kerberos?

mzitnik avatar Feb 04 '24 10:02 mzitnik

@mzitnik I'm sorry, I used higher java version, therefore I was able to use latest mockito which is built in java11. Issue fixed. Integration test added. I also optimized handling credentials. The most tricky part with kerberos is configuration (a lot of options, moreover it's possible to use jgss native lib, what makes things even more complicated). That implementation handles two ways of acquiring credentials - directly from host or passed via subject. That way it's possible to handle e.g. impersonation and passing TGT. The implementation was tested with Tableau Server (as kerberos delegation/impersonation) and on Tableau Desktop with AD.

maciejmaciejko-gid avatar Feb 08 '24 11:02 maciejmaciejko-gid

Thanks @maciejmaciejko-gid running tests

mzitnik avatar Feb 11 '24 12:02 mzitnik

Oh, I used cached image... Give me a moment, I will fix it

maciejmaciejko-gid avatar Feb 11 '24 12:02 maciejmaciejko-gid

@mzitnik Could you run pipeline again?

maciejmaciejko-gid avatar Feb 11 '24 13:02 maciejmaciejko-gid

Sorry, error with sample. It would be easier if I could try pipeline before code review... fixed

maciejmaciejko-gid avatar Feb 11 '24 13:02 maciejmaciejko-gid

@maciejmaciejko-gid did you run it locally

mzitnik avatar Feb 11 '24 15:02 mzitnik

@mzitnik I misunderstand the purpose of examples. Sample removed. I'm going to describe that feature in clickhouse-docs and back to you with this PR.

maciejmaciejko-gid avatar Feb 11 '24 18:02 maciejmaciejko-gid