You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kudu.apache.org by ad...@apache.org on 2019/10/28 20:46:55 UTC
[kudu] branch master updated: KUDU-2979: Add wrapper function of
krb5_parse_name to be used in Impala
This is an automated email from the ASF dual-hosted git repository.
adar pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kudu.git
The following commit(s) were added to refs/heads/master by this push:
new 6ca5991 KUDU-2979: Add wrapper function of krb5_parse_name to be used in Impala
6ca5991 is described below
commit 6ca599195922b27ec42c6a18eba09c0e8197121a
Author: xiaomeng <xi...@cloudera.com>
AuthorDate: Mon Oct 21 10:00:16 2019 -0700
KUDU-2979: Add wrapper function of krb5_parse_name to be used in Impala
From IMPALA-7504, we want to use krb5_parse_name() to parse the principal
instead of using custom code.
When kerberos is initialized in Impala's copy of Kudu code, it stores a
global context which is used when accessing the Krb5 library. To use
this global context, the code that parses the principal name is moved
into Kudu code. This new code is then called from the existing
ParseKerberosPrincipal method.
Test added in mini_kdc-test.TestBasicOperation.
Change-Id: Ifddafa7aae25d66ed7d9fa0306f17501a191cdac
Reviewed-on: http://gerrit.cloudera.org:8080/14520
Tested-by: Kudu Jenkins
Reviewed-by: Alexey Serbin <as...@cloudera.com>
---
src/kudu/security/init.cc | 18 ++++++++++++++++++
src/kudu/security/init.h | 6 ++++++
src/kudu/security/test/mini_kdc-test.cc | 16 ++++++++++++++++
3 files changed, 40 insertions(+)
diff --git a/src/kudu/security/init.cc b/src/kudu/security/init.cc
index 200411f..d0b2226 100644
--- a/src/kudu/security/init.cc
+++ b/src/kudu/security/init.cc
@@ -452,6 +452,24 @@ boost::optional<string> GetLoggedInUsernameFromKeytab() {
return g_kinit_ctx->username_str();
}
+Status Krb5ParseName(const string& principal, string* service_name,
+ string* hostname, string* realm) {
+ krb5_principal princ;
+ KRB5_RETURN_NOT_OK_PREPEND(krb5_parse_name(g_krb5_ctx, principal.c_str(), &princ),
+ "could not parse principal");
+ SCOPED_CLEANUP({
+ krb5_free_principal(g_krb5_ctx, princ);
+ });
+ if (princ->length != 2) {
+ return Status::InvalidArgument(Substitute("$0: principal should include "
+ "service name, hostname and realm", principal));
+ }
+ realm->assign(princ->realm.data, princ->realm.length);
+ service_name->assign(princ->data[0].data, princ->data[0].length);
+ hostname->assign(princ->data[1].data, princ->data[1].length);
+ return Status::OK();
+}
+
Status InitKerberosForServer(const std::string& raw_principal, const std::string& keytab_file,
const std::string& krb5ccname, bool disable_krb5_replay_cache) {
if (keytab_file.empty()) return Status::OK();
diff --git a/src/kudu/security/init.h b/src/kudu/security/init.h
index 8b1519a..80074b3 100644
--- a/src/kudu/security/init.h
+++ b/src/kudu/security/init.h
@@ -35,6 +35,12 @@ namespace security {
// pick up credentials from test cases or any other daemon.
static const std::string kKrb5CCName = "MEMORY:kudu";
+// Parses the given Kerberos principal into service name, hostname, and realm.
+Status Krb5ParseName(const std::string& principal,
+ std::string* service_name,
+ std::string* hostname,
+ std::string* realm);
+
// Initializes Kerberos for a server. In particular, this processes
// the '--keytab_file' command line flag.
// 'raw_principal' is the principal to Kinit with after calling GetConfiguredPrincipal()
diff --git a/src/kudu/security/test/mini_kdc-test.cc b/src/kudu/security/test/mini_kdc-test.cc
index e0ba455..ec137eb 100644
--- a/src/kudu/security/test/mini_kdc-test.cc
+++ b/src/kudu/security/test/mini_kdc-test.cc
@@ -75,6 +75,22 @@ TEST_F(MiniKdcTest, TestBasicOperation) {
ASSERT_OK(security::InitKerberosForServer(kSPN, kt_path));
ASSERT_EQ("kudu/foo.example.com@KRBTEST.COM", *security::GetLoggedInPrincipalFromKeytab());
+ // Test parse krb5 principal.
+ string service_name;
+ string hostname;
+ string realm;
+ for (const auto& principal : { "kudu/foo.example.com@KRBTEST.COM", "kudu/foo.example.com" }) {
+ ASSERT_OK(security::Krb5ParseName(principal, &service_name, &hostname, &realm));
+ ASSERT_EQ("kudu", service_name);
+ ASSERT_EQ("foo.example.com", hostname);
+ ASSERT_EQ("KRBTEST.COM", realm);
+ }
+
+ // Test bad format principal.
+ ASSERT_TRUE(security::Krb5ParseName("", &service_name, &hostname, &realm).IsInvalidArgument());
+ ASSERT_TRUE(security::Krb5ParseName("kudu@KRBTEST.COM", &service_name,
+ &hostname, &realm).IsInvalidArgument());
+
// Test principal canonicalization.
string princ = "foo";
ASSERT_OK(security::CanonicalizeKrb5Principal(&princ));