You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@impala.apache.org by mi...@apache.org on 2023/09/21 21:50:04 UTC

[impala] branch master updated: IMPALA-12318: Add a flag option for http spnego dedicated keytab file.

This is an automated email from the ASF dual-hosted git repository.

michaelsmith pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/impala.git


The following commit(s) were added to refs/heads/master by this push:
     new 94f4f1d82 IMPALA-12318: Add a flag option for http spnego dedicated keytab file.
94f4f1d82 is described below

commit 94f4f1d82461d8f71fbd0d2e9082aa29b5f53a89
Author: halim.kim <ha...@navercorp.com>
AuthorDate: Wed Jul 26 20:24:51 2023 +0900

    IMPALA-12318: Add a flag option for http spnego dedicated keytab file.
    
    Add a --spnego_keytab_file flag for seperation of service keytab file
    and spnego keytab file. If --webserver_require_spnego flag is true and
    --spnego_keytab_file is not empty but specifies a keytab location, web
    console gss acceptor registers specified keytab location so that web
    server is able to find spnego principal from spnego_keytab_file. if
    --spnego_keytab_file is empty even --webserver_require_spnego, web
    server will use --keytab_file flag as it is.
    
    Change-Id: Ia4794ca97316c63a0e6fef9f7428fc05dd9904b0
    Reviewed-on: http://gerrit.cloudera.org:8080/20269
    Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
    Tested-by: Impala Public Jenkins <im...@cloudera.com>
---
 be/src/common/global-flags.cc  |  2 ++
 be/src/kudu/security/gssapi.cc |  7 +++++++
 be/src/kudu/security/gssapi.h  |  1 +
 be/src/util/webserver.cc       | 10 +++++++++-
 4 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/be/src/common/global-flags.cc b/be/src/common/global-flags.cc
index d58b56c42..144f03647 100644
--- a/be/src/common/global-flags.cc
+++ b/be/src/common/global-flags.cc
@@ -52,6 +52,8 @@ DEFINE_string(principal, "", "Kerberos principal. If set, both client and backen
 DEFINE_string(be_principal, "", "Kerberos principal for backend network connections only,"
     "overriding --principal if set. Must not be set if --principal is not set.");
 DEFINE_string(keytab_file, "", "Absolute path to Kerberos keytab file");
+DEFINE_string(spnego_keytab_file, "", "Absolute path to Kerberos keytab file "
+    "for HTTP spnego. If it is empty, --keytab_file flag will be used.");
 DEFINE_string(krb5_ccname, "/tmp/krb5cc_impala_internal", "Absolute path to the file "
     "based credentials cache that we pass to the KRB5CCNAME environment variable.");
 DEFINE_string(krb5_conf, "", "Absolute path to Kerberos krb5.conf if in a non-standard "
diff --git a/be/src/kudu/security/gssapi.cc b/be/src/kudu/security/gssapi.cc
index 6797ec3fa..fbe9b744f 100644
--- a/be/src/kudu/security/gssapi.cc
+++ b/be/src/kudu/security/gssapi.cc
@@ -23,10 +23,13 @@
 
 #include <glog/logging.h>
 
+#include "common/global-flags.h"
 #include "kudu/gutil/strings/escaping.h"
 #include "kudu/util/scoped_cleanup.h"
 #include "kudu/util/status.h"
 
+DECLARE_string(spnego_keytab_file);
+
 using std::string;
 
 namespace kudu {
@@ -124,6 +127,10 @@ Status SpnegoStep(const string& in_token_b64,
   size_t real_token_size = token.size();
   token.resize(real_token_size + 256);
 
+  if (!FLAGS_spnego_keytab_file.empty()) {
+    krb5_gss_register_acceptor_identity(FLAGS_spnego_keytab_file.c_str());
+  }
+
   gss_buffer_desc input_token {real_token_size, const_cast<char*>(token.data())};
 
   gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
diff --git a/be/src/kudu/security/gssapi.h b/be/src/kudu/security/gssapi.h
index 036b3d45c..2b8836ba2 100644
--- a/be/src/kudu/security/gssapi.h
+++ b/be/src/kudu/security/gssapi.h
@@ -19,6 +19,7 @@
 #include <string>
 
 #include <gssapi/gssapi.h>
+#include <gssapi/gssapi_krb5.h>
 
 namespace kudu {
 
diff --git a/be/src/util/webserver.cc b/be/src/util/webserver.cc
index a4436f6f8..f74df5255 100644
--- a/be/src/util/webserver.cc
+++ b/be/src/util/webserver.cc
@@ -33,6 +33,7 @@
 #include <rapidjson/stringbuffer.h>
 
 #include "common/logging.h"
+#include "common/global-flags.h"
 #include "gutil/endian.h"
 #include "gutil/strings/escaping.h"
 #include "gutil/strings/strip.h"
@@ -162,6 +163,7 @@ DECLARE_bool(jwt_token_auth);
 DECLARE_bool(jwt_validate_signature);
 DECLARE_string(jwt_custom_claim_username);
 DECLARE_string(trusted_auth_header);
+DECLARE_string(spnego_keytab_file);
 
 static const char* DOC_FOLDER = "/www/";
 static const int DOC_FOLDER_LEN = strlen(DOC_FOLDER);
@@ -474,7 +476,13 @@ Status Webserver::Start() {
     // propagated into this environment variable where the GSSAPI calls will
     // pick it up. In other words, we aren't expecting users to pass in this
     // environment variable specifically.
-    const char* kt_file = getenv("KRB5_KTNAME");
+
+    // If --spnego_keytab_file flag is not empty, web server uses keytab file location
+    // specified in --spnego_keytab_file instead of --keytab_file. This is for seperation
+    // of impala service keytab and spnego keytab for web console authentication.
+    const char* kt_file = FLAGS_spnego_keytab_file.empty() ?
+      getenv("KRB5_KTNAME") :
+      FLAGS_spnego_keytab_file.c_str();
     if (!kt_file || !kudu::Env::Default()->FileExists(kt_file)) {
       return Status("Unable to configure web server for SPNEGO authentication: "
                     "must configure a keytab file for the server");