You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@impala.apache.org by mi...@apache.org on 2023/09/21 21:50:04 UTC
[impala] branch master updated: IMPALA-12318: Add a flag option for http spnego dedicated keytab file.
This is an automated email from the ASF dual-hosted git repository.
michaelsmith pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/impala.git
The following commit(s) were added to refs/heads/master by this push:
new 94f4f1d82 IMPALA-12318: Add a flag option for http spnego dedicated keytab file.
94f4f1d82 is described below
commit 94f4f1d82461d8f71fbd0d2e9082aa29b5f53a89
Author: halim.kim <ha...@navercorp.com>
AuthorDate: Wed Jul 26 20:24:51 2023 +0900
IMPALA-12318: Add a flag option for http spnego dedicated keytab file.
Add a --spnego_keytab_file flag for seperation of service keytab file
and spnego keytab file. If --webserver_require_spnego flag is true and
--spnego_keytab_file is not empty but specifies a keytab location, web
console gss acceptor registers specified keytab location so that web
server is able to find spnego principal from spnego_keytab_file. if
--spnego_keytab_file is empty even --webserver_require_spnego, web
server will use --keytab_file flag as it is.
Change-Id: Ia4794ca97316c63a0e6fef9f7428fc05dd9904b0
Reviewed-on: http://gerrit.cloudera.org:8080/20269
Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>
---
be/src/common/global-flags.cc | 2 ++
be/src/kudu/security/gssapi.cc | 7 +++++++
be/src/kudu/security/gssapi.h | 1 +
be/src/util/webserver.cc | 10 +++++++++-
4 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/be/src/common/global-flags.cc b/be/src/common/global-flags.cc
index d58b56c42..144f03647 100644
--- a/be/src/common/global-flags.cc
+++ b/be/src/common/global-flags.cc
@@ -52,6 +52,8 @@ DEFINE_string(principal, "", "Kerberos principal. If set, both client and backen
DEFINE_string(be_principal, "", "Kerberos principal for backend network connections only,"
"overriding --principal if set. Must not be set if --principal is not set.");
DEFINE_string(keytab_file, "", "Absolute path to Kerberos keytab file");
+DEFINE_string(spnego_keytab_file, "", "Absolute path to Kerberos keytab file "
+ "for HTTP spnego. If it is empty, --keytab_file flag will be used.");
DEFINE_string(krb5_ccname, "/tmp/krb5cc_impala_internal", "Absolute path to the file "
"based credentials cache that we pass to the KRB5CCNAME environment variable.");
DEFINE_string(krb5_conf, "", "Absolute path to Kerberos krb5.conf if in a non-standard "
diff --git a/be/src/kudu/security/gssapi.cc b/be/src/kudu/security/gssapi.cc
index 6797ec3fa..fbe9b744f 100644
--- a/be/src/kudu/security/gssapi.cc
+++ b/be/src/kudu/security/gssapi.cc
@@ -23,10 +23,13 @@
#include <glog/logging.h>
+#include "common/global-flags.h"
#include "kudu/gutil/strings/escaping.h"
#include "kudu/util/scoped_cleanup.h"
#include "kudu/util/status.h"
+DECLARE_string(spnego_keytab_file);
+
using std::string;
namespace kudu {
@@ -124,6 +127,10 @@ Status SpnegoStep(const string& in_token_b64,
size_t real_token_size = token.size();
token.resize(real_token_size + 256);
+ if (!FLAGS_spnego_keytab_file.empty()) {
+ krb5_gss_register_acceptor_identity(FLAGS_spnego_keytab_file.c_str());
+ }
+
gss_buffer_desc input_token {real_token_size, const_cast<char*>(token.data())};
gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
diff --git a/be/src/kudu/security/gssapi.h b/be/src/kudu/security/gssapi.h
index 036b3d45c..2b8836ba2 100644
--- a/be/src/kudu/security/gssapi.h
+++ b/be/src/kudu/security/gssapi.h
@@ -19,6 +19,7 @@
#include <string>
#include <gssapi/gssapi.h>
+#include <gssapi/gssapi_krb5.h>
namespace kudu {
diff --git a/be/src/util/webserver.cc b/be/src/util/webserver.cc
index a4436f6f8..f74df5255 100644
--- a/be/src/util/webserver.cc
+++ b/be/src/util/webserver.cc
@@ -33,6 +33,7 @@
#include <rapidjson/stringbuffer.h>
#include "common/logging.h"
+#include "common/global-flags.h"
#include "gutil/endian.h"
#include "gutil/strings/escaping.h"
#include "gutil/strings/strip.h"
@@ -162,6 +163,7 @@ DECLARE_bool(jwt_token_auth);
DECLARE_bool(jwt_validate_signature);
DECLARE_string(jwt_custom_claim_username);
DECLARE_string(trusted_auth_header);
+DECLARE_string(spnego_keytab_file);
static const char* DOC_FOLDER = "/www/";
static const int DOC_FOLDER_LEN = strlen(DOC_FOLDER);
@@ -474,7 +476,13 @@ Status Webserver::Start() {
// propagated into this environment variable where the GSSAPI calls will
// pick it up. In other words, we aren't expecting users to pass in this
// environment variable specifically.
- const char* kt_file = getenv("KRB5_KTNAME");
+
+ // If --spnego_keytab_file flag is not empty, web server uses keytab file location
+ // specified in --spnego_keytab_file instead of --keytab_file. This is for seperation
+ // of impala service keytab and spnego keytab for web console authentication.
+ const char* kt_file = FLAGS_spnego_keytab_file.empty() ?
+ getenv("KRB5_KTNAME") :
+ FLAGS_spnego_keytab_file.c_str();
if (!kt_file || !kudu::Env::Default()->FileExists(kt_file)) {
return Status("Unable to configure web server for SPNEGO authentication: "
"must configure a keytab file for the server");