You are viewing a plain text version of this content. The canonical link for it is here.

Posted to reviews@impala.apache.org by "Thomas Tauber-Marshall (Code Review)" <ge...@cloudera.org> on 2019/08/16 04:22:20 UTC

[Impala-ASF-CR] IMPALA-8868: Fix 401 response when LDAP and Kerberos are enabled

Thomas Tauber-Marshall has uploaded this change for review. ( http://gerrit.cloudera.org:8080/14077


Change subject: IMPALA-8868: Fix 401 response when LDAP and Kerberos are enabled
......................................................................

IMPALA-8868: Fix 401 response when LDAP and Kerberos are enabled

When both kerberos and ldap auth are enabled and an http request is
not successfully authenticated, THttpServer only sends the
'WWW-Authenticate: Basic' challenge and doesn't send the
'WWW-Authenticate: Negotiate' challenge, which can cause clients that
want to connect with kerberos to fail to authenticate.

This patch fixes this to send both challenges.

Testing:
- Manually tested in a cluster with both Kerberos and LDAP enabled on
  Impala with connections proxied through Apache Knox, which would
  previously fail.

Change-Id: I138f33783bfd0f8f9b8db242589a9cc75cfd392a
---
M be/src/transport/THttpServer.cpp
1 file changed, 4 insertions(+), 1 deletion(-)



  git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/77/14077/1
-- 
To view, visit http://gerrit.cloudera.org:8080/14077
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I138f33783bfd0f8f9b8db242589a9cc75cfd392a
Gerrit-Change-Number: 14077
Gerrit-PatchSet: 1
Gerrit-Owner: Thomas Tauber-Marshall <tm...@cloudera.com>

[Impala-ASF-CR] IMPALA-8868: Fix 401 response when LDAP and Kerberos are enabled

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/14077 )

Change subject: IMPALA-8868: Fix 401 response when LDAP and Kerberos are enabled
......................................................................


Patch Set 3:

Build started: https://jenkins.impala.io/job/gerrit-verify-dryrun/4812/ DRY_RUN=false


-- 
To view, visit http://gerrit.cloudera.org:8080/14077
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I138f33783bfd0f8f9b8db242589a9cc75cfd392a
Gerrit-Change-Number: 14077
Gerrit-PatchSet: 3
Gerrit-Owner: Thomas Tauber-Marshall <tm...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Thomas Tauber-Marshall <tm...@cloudera.com>
Gerrit-Reviewer: Tim Armstrong <ta...@cloudera.com>
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-Comment-Date: Sat, 17 Aug 2019 00:05:07 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-8868: Fix 401 response when LDAP and Kerberos are enabled

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/14077 )

Change subject: IMPALA-8868: Fix 401 response when LDAP and Kerberos are enabled
......................................................................


Patch Set 2:

Build Successful 

https://jenkins.impala.io/job/gerrit-code-review-checks/4292/ : Initial code review checks passed. Use gerrit-verify-dryrun-external or gerrit-verify-dryrun to run full precommit tests.


-- 
To view, visit http://gerrit.cloudera.org:8080/14077
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I138f33783bfd0f8f9b8db242589a9cc75cfd392a
Gerrit-Change-Number: 14077
Gerrit-PatchSet: 2
Gerrit-Owner: Thomas Tauber-Marshall <tm...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Thomas Tauber-Marshall <tm...@cloudera.com>
Gerrit-Reviewer: Tim Armstrong <ta...@cloudera.com>
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-Comment-Date: Sat, 17 Aug 2019 00:43:45 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-8868: Fix 401 response when LDAP and Kerberos are enabled

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/14077 )

Change subject: IMPALA-8868: Fix 401 response when LDAP and Kerberos are enabled
......................................................................


Patch Set 1:

Build Successful 

https://jenkins.impala.io/job/gerrit-code-review-checks/4275/ : Initial code review checks passed. Use gerrit-verify-dryrun-external or gerrit-verify-dryrun to run full precommit tests.


-- 
To view, visit http://gerrit.cloudera.org:8080/14077
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I138f33783bfd0f8f9b8db242589a9cc75cfd392a
Gerrit-Change-Number: 14077
Gerrit-PatchSet: 1
Gerrit-Owner: Thomas Tauber-Marshall <tm...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-Comment-Date: Fri, 16 Aug 2019 05:03:07 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-8868: Fix 401 response when LDAP and Kerberos are enabled

Posted by "Tim Armstrong (Code Review)" <ge...@cloudera.org>.

Tim Armstrong has posted comments on this change. ( http://gerrit.cloudera.org:8080/14077 )

Change subject: IMPALA-8868: Fix 401 response when LDAP and Kerberos are enabled
......................................................................


Patch Set 1:

(That comment isn't blocking)


-- 
To view, visit http://gerrit.cloudera.org:8080/14077
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I138f33783bfd0f8f9b8db242589a9cc75cfd392a
Gerrit-Change-Number: 14077
Gerrit-PatchSet: 1
Gerrit-Owner: Thomas Tauber-Marshall <tm...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Tim Armstrong <ta...@cloudera.com>
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-Comment-Date: Fri, 16 Aug 2019 23:37:35 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-8868: Fix 401 response when LDAP and Kerberos are enabled

Posted by "Tim Armstrong (Code Review)" <ge...@cloudera.org>.

Tim Armstrong has posted comments on this change. ( http://gerrit.cloudera.org:8080/14077 )

Change subject: IMPALA-8868: Fix 401 response when LDAP and Kerberos are enabled
......................................................................


Patch Set 1: Code-Review+2


-- 
To view, visit http://gerrit.cloudera.org:8080/14077
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I138f33783bfd0f8f9b8db242589a9cc75cfd392a
Gerrit-Change-Number: 14077
Gerrit-PatchSet: 1
Gerrit-Owner: Thomas Tauber-Marshall <tm...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Tim Armstrong <ta...@cloudera.com>
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-Comment-Date: Fri, 16 Aug 2019 23:37:24 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-8868: Fix 401 response when LDAP and Kerberos are enabled

Posted by "Tim Armstrong (Code Review)" <ge...@cloudera.org>.

Tim Armstrong has posted comments on this change. ( http://gerrit.cloudera.org:8080/14077 )

Change subject: IMPALA-8868: Fix 401 response when LDAP and Kerberos are enabled
......................................................................


Patch Set 1:

(1 comment)

http://gerrit.cloudera.org:8080/#/c/14077/1/be/src/transport/THttpServer.cpp
File be/src/transport/THttpServer.cpp:

http://gerrit.cloudera.org:8080/#/c/14077/1/be/src/transport/THttpServer.cpp@175
PS1, Line 175:   if (!got_basic_auth) basic_auth_token = "";
The API of TryStripPrefixString() is weird. I find the flow a little confusing with how it's mutating basic_auth_token then undoing it. Maybe it would be more obvious if you used a temporary for the output argument of TryStripPrefixString(). I.e. something like

  string stripped_basic_auth_token;
  bool got_basic_auth = TryStripPrefixString(auth_value_, "Basic ", &basic_auth_token)
  string basic_auth_token = got_basic_auth ? move(stripped_basic_auth_token) : "";

Same for negotiate_auth_token below.



-- 
To view, visit http://gerrit.cloudera.org:8080/14077
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I138f33783bfd0f8f9b8db242589a9cc75cfd392a
Gerrit-Change-Number: 14077
Gerrit-PatchSet: 1
Gerrit-Owner: Thomas Tauber-Marshall <tm...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Tim Armstrong <ta...@cloudera.com>
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-Comment-Date: Fri, 16 Aug 2019 23:35:31 +0000
Gerrit-HasComments: Yes

[Impala-ASF-CR] IMPALA-8868: Fix 401 response when LDAP and Kerberos are enabled

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/14077 )

Change subject: IMPALA-8868: Fix 401 response when LDAP and Kerberos are enabled
......................................................................

IMPALA-8868: Fix 401 response when LDAP and Kerberos are enabled

When both kerberos and ldap auth are enabled and an http request is
not successfully authenticated, THttpServer only sends the
'WWW-Authenticate: Basic' challenge and doesn't send the
'WWW-Authenticate: Negotiate' challenge, which can cause clients that
want to connect with kerberos to fail to authenticate.

This patch fixes this to send both challenges.

Testing:
- Manually tested in a cluster with both Kerberos and LDAP enabled on
  Impala with connections proxied through Apache Knox, which would
  previously fail.

Change-Id: I138f33783bfd0f8f9b8db242589a9cc75cfd392a
Reviewed-on: http://gerrit.cloudera.org:8080/14077
Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>
---
M be/src/transport/THttpServer.cpp
1 file changed, 10 insertions(+), 5 deletions(-)

Approvals:
  Impala Public Jenkins: Looks good to me, approved; Verified

-- 
To view, visit http://gerrit.cloudera.org:8080/14077
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: I138f33783bfd0f8f9b8db242589a9cc75cfd392a
Gerrit-Change-Number: 14077
Gerrit-PatchSet: 4
Gerrit-Owner: Thomas Tauber-Marshall <tm...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Thomas Tauber-Marshall <tm...@cloudera.com>
Gerrit-Reviewer: Tim Armstrong <ta...@cloudera.com>
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>

[Impala-ASF-CR] IMPALA-8868: Fix 401 response when LDAP and Kerberos are enabled

Posted by "Thomas Tauber-Marshall (Code Review)" <ge...@cloudera.org>.

Thomas Tauber-Marshall has posted comments on this change. ( http://gerrit.cloudera.org:8080/14077 )

Change subject: IMPALA-8868: Fix 401 response when LDAP and Kerberos are enabled
......................................................................


Patch Set 2: Code-Review+2

(1 comment)

carrying forward

http://gerrit.cloudera.org:8080/#/c/14077/1/be/src/transport/THttpServer.cpp
File be/src/transport/THttpServer.cpp:

http://gerrit.cloudera.org:8080/#/c/14077/1/be/src/transport/THttpServer.cpp@175
PS1, Line 175:       TryStripPrefixString(auth_value_, "Basic ", &stripped_basic_auth_token);
> The API of TryStripPrefixString() is weird. I find the flow a little confus
Done



-- 
To view, visit http://gerrit.cloudera.org:8080/14077
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I138f33783bfd0f8f9b8db242589a9cc75cfd392a
Gerrit-Change-Number: 14077
Gerrit-PatchSet: 2
Gerrit-Owner: Thomas Tauber-Marshall <tm...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Thomas Tauber-Marshall <tm...@cloudera.com>
Gerrit-Reviewer: Tim Armstrong <ta...@cloudera.com>
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-Comment-Date: Sat, 17 Aug 2019 00:04:39 +0000
Gerrit-HasComments: Yes

[Impala-ASF-CR] IMPALA-8868: Fix 401 response when LDAP and Kerberos are enabled

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/14077 )

Change subject: IMPALA-8868: Fix 401 response when LDAP and Kerberos are enabled
......................................................................


Patch Set 3: Code-Review+2


-- 
To view, visit http://gerrit.cloudera.org:8080/14077
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I138f33783bfd0f8f9b8db242589a9cc75cfd392a
Gerrit-Change-Number: 14077
Gerrit-PatchSet: 3
Gerrit-Owner: Thomas Tauber-Marshall <tm...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Thomas Tauber-Marshall <tm...@cloudera.com>
Gerrit-Reviewer: Tim Armstrong <ta...@cloudera.com>
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-Comment-Date: Sat, 17 Aug 2019 00:05:06 +0000
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-8868: Fix 401 response when LDAP and Kerberos are enabled

Posted by "Thomas Tauber-Marshall (Code Review)" <ge...@cloudera.org>.

Hello Todd Lipcon, Tim Armstrong, Impala Public Jenkins, 

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/14077

to look at the new patch set (#2).

Change subject: IMPALA-8868: Fix 401 response when LDAP and Kerberos are enabled
......................................................................

IMPALA-8868: Fix 401 response when LDAP and Kerberos are enabled

When both kerberos and ldap auth are enabled and an http request is
not successfully authenticated, THttpServer only sends the
'WWW-Authenticate: Basic' challenge and doesn't send the
'WWW-Authenticate: Negotiate' challenge, which can cause clients that
want to connect with kerberos to fail to authenticate.

This patch fixes this to send both challenges.

Testing:
- Manually tested in a cluster with both Kerberos and LDAP enabled on
  Impala with connections proxied through Apache Knox, which would
  previously fail.

Change-Id: I138f33783bfd0f8f9b8db242589a9cc75cfd392a
---
M be/src/transport/THttpServer.cpp
1 file changed, 10 insertions(+), 5 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/77/14077/2
-- 
To view, visit http://gerrit.cloudera.org:8080/14077
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I138f33783bfd0f8f9b8db242589a9cc75cfd392a
Gerrit-Change-Number: 14077
Gerrit-PatchSet: 2
Gerrit-Owner: Thomas Tauber-Marshall <tm...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Tim Armstrong <ta...@cloudera.com>
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>

[Impala-ASF-CR] IMPALA-8868: Fix 401 response when LDAP and Kerberos are enabled

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/14077 )

Change subject: IMPALA-8868: Fix 401 response when LDAP and Kerberos are enabled
......................................................................


Patch Set 3: Verified+1


-- 
To view, visit http://gerrit.cloudera.org:8080/14077
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I138f33783bfd0f8f9b8db242589a9cc75cfd392a
Gerrit-Change-Number: 14077
Gerrit-PatchSet: 3
Gerrit-Owner: Thomas Tauber-Marshall <tm...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Thomas Tauber-Marshall <tm...@cloudera.com>
Gerrit-Reviewer: Tim Armstrong <ta...@cloudera.com>
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-Comment-Date: Sat, 17 Aug 2019 04:10:09 +0000
Gerrit-HasComments: No