You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@impala.apache.org by "Lars Volker (Code Review)" <ge...@cloudera.org> on 2018/06/19 22:32:25 UTC
[Impala-ASF-CR] IMPALA-6691: KRPC w/ kerberos fails on SLES11
Hello Sailesh Mukil, Impala Public Jenkins,
I'd like you to do a code review. Please visit
http://gerrit.cloudera.org:8080/10764
to review the following change.
Change subject: IMPALA-6691: KRPC w/ kerberos fails on SLES11
......................................................................
IMPALA-6691: KRPC w/ kerberos fails on SLES11
The Kerberos version used in SLES 11 seems to have quite a few
undocumented bugs.
They have krb5-1.6 (krb5-client-1.6.3-133.49.112.1.x86_64).
With KRPC we see a new error "GSSAPI Error: A required input parameter
could not be read", which we've never seen before.
I looked into the krb5 codebase and between krb5-1.6 and krb5-1.7,
the code causing the above error (GSSAPI Error: A required input
parameter could not be read) has changed subtly without any
explanation as to why.
That error string corresponds to GSS_S_CALL_INACCESSIBLE_READ.
In 1.6, it returns an error if the 'input_token_buffer' string
is empty. krb5-1.6:
https://github.com/krb5/krb5/blob/krb5-1.6/src/lib/gssapi/mechglue/g_accept_sec_context.c#L149-L150
In 1.7, it returns an error only if the 'input_token_buffer' string
is NULL. krb5-1.7:
https://github.com/krb5/krb5/blob/krb5-1.7/src/lib/gssapi/mechglue/g_accept_sec_context.c#L149-L150
With KRPC, we test if Kerberos works by passing an empty string to SASL:
https://github.com/apache/impala/blob/master/be/src/kudu/rpc/server_negotiation.cc#L289
In 1.6, this is counted as an error, but in 1.7, this is completely
fine. I'm not sure why since they haven't documented it.
We can attempt to get KRPC working for SLES11 by removing the
PreflightGSSAPI() check for any kerberos version < 1.6. A function that
is unavailable on krb-1.6 is krb5_get_init_creds_opt_set_fast_ccache_name(),
and it is available from krb-1.7 onwards. The PreflightCheckGSSAPI() is
compiled in only if this function exists.
(However there may be more issues on SLES11 that we're not yet aware of)
Change-Id: Icda4173ae0adbc12d167b9918e22b47fd460498c
Reviewed-on: http://gerrit.cloudera.org:8080/9696
Reviewed-by: Sailesh Mukil <sa...@cloudera.com>
Tested-by: Impala Public Jenkins
---
M be/src/kudu/rpc/messenger.cc
1 file changed, 13 insertions(+), 0 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/64/10764/1
--
To view, visit http://gerrit.cloudera.org:8080/10764
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: Icda4173ae0adbc12d167b9918e22b47fd460498c
Gerrit-Change-Number: 10764
Gerrit-PatchSet: 1
Gerrit-Owner: Lars Volker <lv...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>
[Impala-ASF-CR] IMPALA-6691: KRPC w/ kerberos fails on SLES11
Posted by "Lars Volker (Code Review)" <ge...@cloudera.org>.
Lars Volker has abandoned this change. ( http://gerrit.cloudera.org:8080/10764 )
Change subject: IMPALA-6691: KRPC w/ kerberos fails on SLES11
......................................................................
Abandoned
Not needed anymore.
--
To view, visit http://gerrit.cloudera.org:8080/10764
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: abandon
Gerrit-Change-Id: Icda4173ae0adbc12d167b9918e22b47fd460498c
Gerrit-Change-Number: 10764
Gerrit-PatchSet: 1
Gerrit-Owner: Lars Volker <lv...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <im...@cloudera.com>
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>