You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@kudu.apache.org by "Todd Lipcon (Code Review)" <ge...@cloudera.org> on 2019/06/04 05:12:03 UTC

[kudu-CR] Support SPNEGO for web server 

Hello Thomas Marshall, Tidy Bot, Lars Volker, Alexey Serbin, Kudu Jenkins, Hao Hao, 

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/13341

to look at the new patch set (#2).

Change subject: Support SPNEGO for web server
......................................................................

Support SPNEGO for web server

SPNEGO is a protocol for securing HTTP requests with Kerberos by passing
negotiation through HTTP headers. It's supported by most major browsers
and also by most of the Java-based Hadoop components. Notably, it's also
the typical way in which Apache Knox authenticates itself to Hadoop
components in the "trusted proxy" mode, allowing them to be secured
behind Knox's SSO and other policies.

This patch implements the SPNEGO protocol by driving GSSAPI, and
integrates it into the webserver when configured by a new
--webserver_require_spnego flag.

The new test verifies this end-to-end using curl's SPNEGO authentication
support.

Along the way I had to cross-port a small change to the Base64 functions
in gutil to avoid a UBSAN error. I found the fix in abseil-cpp's copy of
the same file.

Change-Id: I9449ac610aa7d11bbf320d9178a6d73684ff15f7
---
M src/kudu/gutil/strings/escaping.cc
M src/kudu/rpc/client_negotiation.cc
M src/kudu/security/CMakeLists.txt
A src/kudu/security/gssapi.cc
A src/kudu/security/gssapi.h
M src/kudu/security/test/mini_kdc.cc
M src/kudu/security/test/mini_kdc.h
M src/kudu/server/CMakeLists.txt
M src/kudu/server/webserver-test.cc
M src/kudu/server/webserver.cc
M src/kudu/server/webserver_options.cc
M src/kudu/server/webserver_options.h
M src/kudu/util/curl_util.cc
M src/kudu/util/curl_util.h
M src/kudu/util/test_macros.h
M thirdparty/build-definitions.sh
16 files changed, 604 insertions(+), 62 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/41/13341/2
-- 
To view, visit http://gerrit.cloudera.org:8080/13341
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I9449ac610aa7d11bbf320d9178a6d73684ff15f7
Gerrit-Change-Number: 13341
Gerrit-PatchSet: 2
Gerrit-Owner: Todd Lipcon <to...@apache.org>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Hao Hao <ha...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Lars Volker <lv...@cloudera.com>
Gerrit-Reviewer: Thomas Marshall <tm...@cloudera.com>
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>