You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "Norbert Luksa (Jira)" <ji...@apache.org> on 2020/03/17 15:28:00 UTC
[jira] [Commented] (IMPALA-9430) Kerberos configs should be passed
through to Kerberos libraries even if principal is not set
[ https://issues.apache.org/jira/browse/IMPALA-9430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17060994#comment-17060994 ]
Norbert Luksa commented on IMPALA-9430:
---------------------------------------
Looks like ASF Jira bot failed to copy the commit message, so here it is for reference:
IMPALA-9430: always pass through kerberos configs
The behaviour of kerberos-related command line flags is changed so that
their values are always passed through to underlying libraries,
even if Kerberos isn't enabled for internal communication in Impala.
This is good because:
* Various libraries that communicate with external systems may use
kerberos for outgoing connections, if *incoming* connections are
not authenticated.
e.g. it might just be enabled for HMS. Having them pick up different
kerberos settings for outgoing connections if kerberos is disabled
for incoming connections is a little weird. This
is a safer default that reduces chances of inadvertant
misconfigurations.
* It matches the documentation of the flags.
Some validations are still disabled when --principal is not set,
e.g. we don't check the replay cache directory. This is to avoid
any potential regressions or startup failures on non-kerberised
clusters.
Testing:
Added unit tests for flag validation and env var setting on the
code paths that I touched.
Change-Id: If4bb311c7ab7173232aab36c5ed801f93f38f5b9
Reviewed-on: http://gerrit.cloudera.org:8080/15340
Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>
> Kerberos configs should be passed through to Kerberos libraries even if principal is not set
> --------------------------------------------------------------------------------------------
>
> Key: IMPALA-9430
> URL: https://issues.apache.org/jira/browse/IMPALA-9430
> Project: IMPALA
> Issue Type: Improvement
> Components: Backend
> Reporter: Tim Armstrong
> Assignee: Tim Armstrong
> Priority: Major
> Labels: kerberos, security
> Fix For: Impala 3.4.0
>
>
> InitKerberosEnv() configures native and JDK kerberos implementations based on command-line flags: https://github.com/apache/impala/blob/d1b42c836c3458a2ef3662c0b0b1fd8fbf8f2baf/be/src/rpc/authentication.cc#L866 . It only does this when --principal is set.
> It's possible that Impala can be set up to use kerberos to communicate with some external services, e.g. HMS or Hive, even if --principal is not set, since those clients read in config XML files that are independent of the Impala flags. This isn't a recommended configuration and requires a fair bit of expertise to get right, but I think it's very surprising that the configs *don't* get passed through in the case. The documentation doesn't mention this behaviour.
> The suggested change here is to apply the config changes independent of the value of --principal. It should be a noop if kerberos is not configured for any services.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org