You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@impala.apache.org by "Michael Ho (Code Review)" <ge...@cloudera.org> on 2017/08/20 01:11:56 UTC
[Impala-ASF-CR] KUDU-2087. Fix failure to map Kerberos principal to username with FreeIPA
Hello Alexey Serbin, Kudu Jenkins,
I'd like you to do a code review. Please visit
http://gerrit.cloudera.org:8080/7745
to review the following change.
Change subject: KUDU-2087. Fix failure to map Kerberos principal to username with FreeIPA
......................................................................
KUDU-2087. Fix failure to map Kerberos principal to username with FreeIPA
FreeIPA is a piece of software that automates and simplifies management
of MIT krb5, SSSD, some LDAP service, etc. FreeIPA configures a
localauth plugin[1] in krb5.conf to map Kerberos principals to local
usernames. In this configuration, Kudu daemons were failing to start up
due to failure to map their own service principals back to a username.
This is due to a number of issues:
1) FreeIPA distinguishes between service principals and user principals
and doesn't store a 'uid' field in LDAP for service principals. Thus,
when 'sssd' tries to map a service principal to a local unix user, it
determines that there is no such user (ie getpwnam() fails). This is by
design, best I can tell.
2) sssd's implementation of krb5_auth_to_localname[1] uses getpwnam to try
to map the kerberos principal to the local username. Because of the
above, it fails for service principals.
3) Prior to el7.3, ssd configures krb5 with 'enable_only = sssd' in the
localauth plugin section. This means that if sssd fails to perform the
mapping, it does not fall back to other mappings defined in krb5.conf
(eg explicitly defined auth_to_local rules). See [2]
4) Even after 7.3, there is an additional bug in sssd which I just
filed[3], which causes the fallback to still not work. Because of this,
we're getting the KRB5_PLUGIN_NO_HANDLE error code back up at the Kudu
layer.
We already have our own fallback case for KRB5_LNAME_NO_TRANS, and it
seems like we should just be handling PLUGIN_NO_HANDLE in the same way
to workaround the above behavior.
I tested this patch on a FreeIPA-configured system on el6.7. I was able
to successfully start a master with a FreeIPA-provided keytab and
authentication required, and use 'kudu table list' to authenticate to
it.
[1] https://github.com/SSSD/sssd/blob/master/src/krb5_plugin/sssd_krb5_localauth_plugin.c
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1297462
[3] https://pagure.io/SSSD/sssd/issue/3459
Change-Id: I7bc13b33053a73784350c9d30a3796a96d318c04
Reviewed-on: http://gerrit.cloudera.org:8080/7551
Tested-by: Kudu Jenkins
Reviewed-by: Alexey Serbin <as...@cloudera.com>
---
M be/src/kudu/security/init.cc
1 file changed, 5 insertions(+), 1 deletion(-)
git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/45/7745/1
--
To view, visit http://gerrit.cloudera.org:8080/7745
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I7bc13b33053a73784350c9d30a3796a96d318c04
Gerrit-PatchSet: 1
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Michael Ho <kw...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
[Impala-ASF-CR] KUDU-2087. Fix failure to map Kerberos principal to username with FreeIPA
Posted by "Michael Ho (Code Review)" <ge...@cloudera.org>.
Michael Ho has posted comments on this change.
Change subject: KUDU-2087. Fix failure to map Kerberos principal to username with FreeIPA
......................................................................
Patch Set 2:
Actually, GVO doesn't seem to be affected by IMPALA-5819 (may be that how it slipped through to begin with ?). Will give it a shot now.
--
To view, visit http://gerrit.cloudera.org:8080/7745
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I7bc13b33053a73784350c9d30a3796a96d318c04
Gerrit-PatchSet: 2
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Michael Ho <kw...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Michael Ho <kw...@cloudera.com>
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-HasComments: No
[Impala-ASF-CR] KUDU-2087. Fix failure to map Kerberos principal to username with FreeIPA
Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.
Impala Public Jenkins has posted comments on this change.
Change subject: KUDU-2087. Fix failure to map Kerberos principal to username with FreeIPA
......................................................................
Patch Set 3:
Build started: https://jenkins.impala.io/job/gerrit-verify-dryrun/1119/
--
To view, visit http://gerrit.cloudera.org:8080/7745
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I7bc13b33053a73784350c9d30a3796a96d318c04
Gerrit-PatchSet: 3
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Michael Ho <kw...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Michael Ho <kw...@cloudera.com>
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-HasComments: No
[Impala-ASF-CR] KUDU-2087. Fix failure to map Kerberos principal to username with FreeIPA
Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.
Impala Public Jenkins has posted comments on this change.
Change subject: KUDU-2087. Fix failure to map Kerberos principal to username with FreeIPA
......................................................................
Patch Set 3: Verified+1
--
To view, visit http://gerrit.cloudera.org:8080/7745
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I7bc13b33053a73784350c9d30a3796a96d318c04
Gerrit-PatchSet: 3
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Michael Ho <kw...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Michael Ho <kw...@cloudera.com>
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-HasComments: No
[Impala-ASF-CR] KUDU-2087. Fix failure to map Kerberos principal to username with FreeIPA
Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.
Alexey Serbin has posted comments on this change.
Change subject: KUDU-2087. Fix failure to map Kerberos principal to username with FreeIPA
......................................................................
Patch Set 1: Code-Review+1
--
To view, visit http://gerrit.cloudera.org:8080/7745
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I7bc13b33053a73784350c9d30a3796a96d318c04
Gerrit-PatchSet: 1
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Michael Ho <kw...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Michael Ho <kw...@cloudera.com>
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-HasComments: No
[Impala-ASF-CR] KUDU-2087. Fix failure to map Kerberos principal to username with FreeIPA
Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.
Impala Public Jenkins has posted comments on this change.
Change subject: KUDU-2087. Fix failure to map Kerberos principal to username with FreeIPA
......................................................................
Patch Set 2:
Build started: https://jenkins.impala.io/job/gerrit-verify-dryrun/1106/
--
To view, visit http://gerrit.cloudera.org:8080/7745
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I7bc13b33053a73784350c9d30a3796a96d318c04
Gerrit-PatchSet: 2
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Michael Ho <kw...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Michael Ho <kw...@cloudera.com>
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-HasComments: No
[Impala-ASF-CR] KUDU-2087. Fix failure to map Kerberos principal to username with FreeIPA
Posted by "Michael Ho (Code Review)" <ge...@cloudera.org>.
Michael Ho has posted comments on this change.
Change subject: KUDU-2087. Fix failure to map Kerberos principal to username with FreeIPA
......................................................................
Patch Set 1:
Will rebase on https://gerrit.cloudera.org/#/c/7756/ once it is merged before starting GVO.
--
To view, visit http://gerrit.cloudera.org:8080/7745
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I7bc13b33053a73784350c9d30a3796a96d318c04
Gerrit-PatchSet: 1
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Michael Ho <kw...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Michael Ho <kw...@cloudera.com>
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-HasComments: No
[Impala-ASF-CR] KUDU-2087. Fix failure to map Kerberos principal to username with FreeIPA
Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.
Impala Public Jenkins has posted comments on this change.
Change subject: KUDU-2087. Fix failure to map Kerberos principal to username with FreeIPA
......................................................................
Patch Set 2: Verified-1
Build failed: https://jenkins.impala.io/job/gerrit-verify-dryrun/1106/
--
To view, visit http://gerrit.cloudera.org:8080/7745
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I7bc13b33053a73784350c9d30a3796a96d318c04
Gerrit-PatchSet: 2
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Michael Ho <kw...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Michael Ho <kw...@cloudera.com>
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-HasComments: No
[Impala-ASF-CR] KUDU-2087. Fix failure to map Kerberos principal to username with FreeIPA
Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.
Impala Public Jenkins has submitted this change and it was merged.
Change subject: KUDU-2087. Fix failure to map Kerberos principal to username with FreeIPA
......................................................................
KUDU-2087. Fix failure to map Kerberos principal to username with FreeIPA
FreeIPA is a piece of software that automates and simplifies management
of MIT krb5, SSSD, some LDAP service, etc. FreeIPA configures a
localauth plugin[1] in krb5.conf to map Kerberos principals to local
usernames. In this configuration, Kudu daemons were failing to start up
due to failure to map their own service principals back to a username.
This is due to a number of issues:
1) FreeIPA distinguishes between service principals and user principals
and doesn't store a 'uid' field in LDAP for service principals. Thus,
when 'sssd' tries to map a service principal to a local unix user, it
determines that there is no such user (ie getpwnam() fails). This is by
design, best I can tell.
2) sssd's implementation of krb5_auth_to_localname[1] uses getpwnam to try
to map the kerberos principal to the local username. Because of the
above, it fails for service principals.
3) Prior to el7.3, ssd configures krb5 with 'enable_only = sssd' in the
localauth plugin section. This means that if sssd fails to perform the
mapping, it does not fall back to other mappings defined in krb5.conf
(eg explicitly defined auth_to_local rules). See [2]
4) Even after 7.3, there is an additional bug in sssd which I just
filed[3], which causes the fallback to still not work. Because of this,
we're getting the KRB5_PLUGIN_NO_HANDLE error code back up at the Kudu
layer.
We already have our own fallback case for KRB5_LNAME_NO_TRANS, and it
seems like we should just be handling PLUGIN_NO_HANDLE in the same way
to workaround the above behavior.
I tested this patch on a FreeIPA-configured system on el6.7. I was able
to successfully start a master with a FreeIPA-provided keytab and
authentication required, and use 'kudu table list' to authenticate to
it.
[1] https://github.com/SSSD/sssd/blob/master/src/krb5_plugin/sssd_krb5_localauth_plugin.c
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1297462
[3] https://pagure.io/SSSD/sssd/issue/3459
Change-Id: I7bc13b33053a73784350c9d30a3796a96d318c04
Reviewed-on: http://gerrit.cloudera.org:8080/7551
Tested-by: Kudu Jenkins
Reviewed-by: Alexey Serbin <as...@cloudera.com>
Reviewed-on: http://gerrit.cloudera.org:8080/7745
Reviewed-by: Michael Ho <kw...@cloudera.com>
Tested-by: Impala Public Jenkins
---
M be/src/kudu/security/init.cc
1 file changed, 5 insertions(+), 1 deletion(-)
Approvals:
Impala Public Jenkins: Verified
Michael Ho: Looks good to me, approved
--
To view, visit http://gerrit.cloudera.org:8080/7745
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I7bc13b33053a73784350c9d30a3796a96d318c04
Gerrit-PatchSet: 4
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Michael Ho <kw...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Michael Ho <kw...@cloudera.com>
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
[Impala-ASF-CR] KUDU-2087. Fix failure to map Kerberos principal to username with FreeIPA
Posted by "Michael Ho (Code Review)" <ge...@cloudera.org>.
Michael Ho has posted comments on this change.
Change subject: KUDU-2087. Fix failure to map Kerberos principal to username with FreeIPA
......................................................................
Patch Set 3: Code-Review+2
GVO hit IMPALA-5819. Rebase to pick up the fix.
--
To view, visit http://gerrit.cloudera.org:8080/7745
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I7bc13b33053a73784350c9d30a3796a96d318c04
Gerrit-PatchSet: 3
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Michael Ho <kw...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Michael Ho <kw...@cloudera.com>
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-HasComments: No
[Impala-ASF-CR] KUDU-2087. Fix failure to map Kerberos principal to username with FreeIPA
Posted by "Sailesh Mukil (Code Review)" <ge...@cloudera.org>.
Sailesh Mukil has posted comments on this change.
Change subject: KUDU-2087. Fix failure to map Kerberos principal to username with FreeIPA
......................................................................
Patch Set 1: Code-Review+2
--
To view, visit http://gerrit.cloudera.org:8080/7745
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I7bc13b33053a73784350c9d30a3796a96d318c04
Gerrit-PatchSet: 1
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Michael Ho <kw...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Michael Ho <kw...@cloudera.com>
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-HasComments: No
[Impala-ASF-CR] KUDU-2087. Fix failure to map Kerberos principal to username with FreeIPA
Posted by "Michael Ho (Code Review)" <ge...@cloudera.org>.
Michael Ho has posted comments on this change.
Change subject: KUDU-2087. Fix failure to map Kerberos principal to username with FreeIPA
......................................................................
Patch Set 1:
The merge of this patch is clean for all files in the be/src/kudu directory.
--
To view, visit http://gerrit.cloudera.org:8080/7745
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I7bc13b33053a73784350c9d30a3796a96d318c04
Gerrit-PatchSet: 1
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Michael Ho <kw...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Michael Ho <kw...@cloudera.com>
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-HasComments: No
[Impala-ASF-CR] KUDU-2087. Fix failure to map Kerberos principal to username with FreeIPA
Posted by "Michael Ho (Code Review)" <ge...@cloudera.org>.
Michael Ho has posted comments on this change.
Change subject: KUDU-2087. Fix failure to map Kerberos principal to username with FreeIPA
......................................................................
Patch Set 2: Code-Review+2
--
To view, visit http://gerrit.cloudera.org:8080/7745
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I7bc13b33053a73784350c9d30a3796a96d318c04
Gerrit-PatchSet: 2
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Michael Ho <kw...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Michael Ho <kw...@cloudera.com>
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-HasComments: No