You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kudu.apache.org by ad...@apache.org on 2019/10/28 20:46:55 UTC

[kudu] branch master updated: KUDU-2979: Add wrapper function of krb5_parse_name to be used in Impala

This is an automated email from the ASF dual-hosted git repository.

adar pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kudu.git


The following commit(s) were added to refs/heads/master by this push:
     new 6ca5991  KUDU-2979: Add wrapper function of krb5_parse_name to be used in Impala
6ca5991 is described below

commit 6ca599195922b27ec42c6a18eba09c0e8197121a
Author: xiaomeng <xi...@cloudera.com>
AuthorDate: Mon Oct 21 10:00:16 2019 -0700

    KUDU-2979: Add wrapper function of krb5_parse_name to be used in Impala
    
    From IMPALA-7504, we want to use krb5_parse_name() to parse the principal
    instead of using custom code.
    
    When kerberos is initialized in Impala's copy of Kudu code, it stores a
    global context which is used when accessing the Krb5 library. To use
    this global context, the code that parses the principal name is moved
    into Kudu code. This new code is then called from the existing
    ParseKerberosPrincipal method.
    
    Test added in mini_kdc-test.TestBasicOperation.
    
    Change-Id: Ifddafa7aae25d66ed7d9fa0306f17501a191cdac
    Reviewed-on: http://gerrit.cloudera.org:8080/14520
    Tested-by: Kudu Jenkins
    Reviewed-by: Alexey Serbin <as...@cloudera.com>
---
 src/kudu/security/init.cc               | 18 ++++++++++++++++++
 src/kudu/security/init.h                |  6 ++++++
 src/kudu/security/test/mini_kdc-test.cc | 16 ++++++++++++++++
 3 files changed, 40 insertions(+)

diff --git a/src/kudu/security/init.cc b/src/kudu/security/init.cc
index 200411f..d0b2226 100644
--- a/src/kudu/security/init.cc
+++ b/src/kudu/security/init.cc
@@ -452,6 +452,24 @@ boost::optional<string> GetLoggedInUsernameFromKeytab() {
   return g_kinit_ctx->username_str();
 }
 
+Status Krb5ParseName(const string& principal, string* service_name,
+                     string* hostname, string* realm) {
+  krb5_principal princ;
+  KRB5_RETURN_NOT_OK_PREPEND(krb5_parse_name(g_krb5_ctx, principal.c_str(), &princ),
+      "could not parse principal");
+  SCOPED_CLEANUP({
+      krb5_free_principal(g_krb5_ctx, princ);
+    });
+  if (princ->length != 2) {
+    return Status::InvalidArgument(Substitute("$0: principal should include "
+                                              "service name, hostname and realm", principal));
+  }
+  realm->assign(princ->realm.data, princ->realm.length);
+  service_name->assign(princ->data[0].data, princ->data[0].length);
+  hostname->assign(princ->data[1].data, princ->data[1].length);
+  return Status::OK();
+}
+
 Status InitKerberosForServer(const std::string& raw_principal, const std::string& keytab_file,
     const std::string& krb5ccname, bool disable_krb5_replay_cache) {
   if (keytab_file.empty()) return Status::OK();
diff --git a/src/kudu/security/init.h b/src/kudu/security/init.h
index 8b1519a..80074b3 100644
--- a/src/kudu/security/init.h
+++ b/src/kudu/security/init.h
@@ -35,6 +35,12 @@ namespace security {
 // pick up credentials from test cases or any other daemon.
 static const std::string kKrb5CCName = "MEMORY:kudu";
 
+// Parses the given Kerberos principal into service name, hostname, and realm.
+Status Krb5ParseName(const std::string& principal,
+                     std::string* service_name,
+                     std::string* hostname,
+                     std::string* realm);
+
 // Initializes Kerberos for a server. In particular, this processes
 // the '--keytab_file' command line flag.
 // 'raw_principal' is the principal to Kinit with after calling GetConfiguredPrincipal()
diff --git a/src/kudu/security/test/mini_kdc-test.cc b/src/kudu/security/test/mini_kdc-test.cc
index e0ba455..ec137eb 100644
--- a/src/kudu/security/test/mini_kdc-test.cc
+++ b/src/kudu/security/test/mini_kdc-test.cc
@@ -75,6 +75,22 @@ TEST_F(MiniKdcTest, TestBasicOperation) {
   ASSERT_OK(security::InitKerberosForServer(kSPN, kt_path));
   ASSERT_EQ("kudu/foo.example.com@KRBTEST.COM", *security::GetLoggedInPrincipalFromKeytab());
 
+  // Test parse krb5 principal.
+  string service_name;
+  string hostname;
+  string realm;
+  for (const auto& principal : { "kudu/foo.example.com@KRBTEST.COM", "kudu/foo.example.com" }) {
+    ASSERT_OK(security::Krb5ParseName(principal, &service_name, &hostname, &realm));
+    ASSERT_EQ("kudu", service_name);
+    ASSERT_EQ("foo.example.com", hostname);
+    ASSERT_EQ("KRBTEST.COM", realm);
+  }
+
+  // Test bad format principal.
+  ASSERT_TRUE(security::Krb5ParseName("", &service_name, &hostname, &realm).IsInvalidArgument());
+  ASSERT_TRUE(security::Krb5ParseName("kudu@KRBTEST.COM", &service_name,
+      &hostname, &realm).IsInvalidArgument());
+
   // Test principal canonicalization.
   string princ = "foo";
   ASSERT_OK(security::CanonicalizeKrb5Principal(&princ));