You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@impala.apache.org by "Thomas Tauber-Marshall (Jira)" <ji...@apache.org> on 2020/12/17 17:23:00 UTC

[jira] [Resolved] (IMPALA-10381) Fix overloading of --ldap_passwords_in_clear_ok

     [ https://issues.apache.org/jira/browse/IMPALA-10381?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Thomas Tauber-Marshall resolved IMPALA-10381.
---------------------------------------------
    Resolution: Fixed

> Fix overloading of --ldap_passwords_in_clear_ok
> -----------------------------------------------
>
>                 Key: IMPALA-10381
>                 URL: https://issues.apache.org/jira/browse/IMPALA-10381
>             Project: IMPALA
>          Issue Type: Improvement
>    Affects Versions: Impala 4.0
>            Reporter: Thomas Tauber-Marshall
>            Assignee: Thomas Tauber-Marshall
>            Priority: Major
>
> The --ldap_passwords_in_clear_ok flag was originally intended to allow configurations where Impala connects to LDAP without SSL, for testing purposes.
> Since then, two other uses of the flag have been added: 1) for controlling whether cookies include the 'Secure' attribute and 2) for controlling whether the webserver allows LDAP auth to be enabled if SSL isn't.
> Some use cases may prefer to control these values separately - for example, in a Kubernetes environment there may be SSL termination that happens at the ingress such that SSL isn't enabled on the webserver but its still safe to have LDAP auth enabled, in which case the 'Secure' attribute is still desired for cookies.
> We should separate this out into 3 different flags. Because the flag was marked 'for testing only', I don't think this needs to be considered a breaking change.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)