增加客户端认证注释

2024-09-01 23:23:01 +08:00 · 2024-09-01 23:23:01 +08:00 · dfc2c04eea
commit dfc2c04eea
parent ddc50a86f7
1 changed files with 12 additions and 2 deletions
--- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
+++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
@ -200,9 +200,11 @@ public void authenticate(URL url, AuthenticatedURL.Token token)
          needFallback = true;
        }
        if (!needFallback && isNegotiate(conn)) {
+		  // 对于普通的HTTP的kerberos认证(SPNEGO)，需要现在客户端登录KDC服务
          LOG.debug("Performing our own SPNEGO sequence.");
          doSpnegoSequence(token);
        } else {
+		  // 当前主要适用于对认证方式需要扩展的场景。
          LOG.debug("Using fallback authenticator sequence.");
          Authenticator auth = getFallBackAuthenticator();
          // Make sure that the fall back authenticator have the same
@ -301,6 +303,7 @@ private void doSpnegoSequence(final AuthenticatedURL.Token token)
        subject = new Subject();
        LoginContext login = new LoginContext("", subject,
            null, new KerberosConfiguration());
+		// 登录KDC服务
        login.login();
      }

@ -314,12 +317,14 @@ public Void run() throws Exception {
          GSSContext gssContext = null;
          try {
            GSSManager gssManager = GSSManager.getInstance();
+			// 设置服务端的域名，由于是HTTP协议，所以当前要求principal的格式为：HTTP/HOST_NAME的方式。
            String servicePrincipal = KerberosUtil.getServicePrincipal("HTTP",
                KerberosAuthenticator.this.url.getHost());
            Oid oid = KerberosUtil.NT_GSS_KRB5_PRINCIPAL_OID;
            GSSName serviceName = gssManager.createName(servicePrincipal,
                                                        oid);
            oid = KerberosUtil.GSS_KRB5_MECH_OID;
+			// 创建获取token的上下文信息。
            gssContext = gssManager.createContext(serviceName, oid, null,
                                                  GSSContext.DEFAULT_LIFETIME);
            gssContext.requestCredDeleg(true);
@ -333,14 +338,19 @@ public Void run() throws Exception {
            while (!established) {
              HttpURLConnection conn =
                  token.openConnection(url, connConfigurator);
-              outToken = gssContext.initSecContext(inToken, 0, inToken.length);
+              // 获取客户端的token。对于第一次的场景，inToken为空。
+			  // 对于中间过程，需要将服务端给的token传进去校验。
+			  outToken = gssContext.initSecContext(inToken, 0, inToken.length);
              if (outToken != null) {
+				// 将token发送给服务端
                sendToken(conn, outToken);
              }

              if (!gssContext.isEstablished()) {
-                inToken = readToken(conn);
+                // 读取服务端发送的token。
+				inToken = readToken(conn);
              } else {
+				// 认证完成,认证结束
                established = true;
              }
            }