You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "Norbert Luksa (Jira)" <ji...@apache.org> on 2020/03/17 15:30:00 UTC

[jira] [Commented] (IMPALA-9456) Allow disabling kerberos for incoming internal and external connections even if --principal is set

    [ https://issues.apache.org/jira/browse/IMPALA-9456?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17060996#comment-17060996 ] 

Norbert Luksa commented on IMPALA-9456:
---------------------------------------

Looks like ASF Jira bot failed to copy the commit message, so here it is for reference:
IMPALA-9456: allow disabling kerberos selectively

There are specific use cases where we need to talk to kerberized
services (HMS, etc) and want to keep our TGT up to date using Impala's
kinit infrastructure, but don't want to kerberize all connections.

Adds --skip_internal_kerberos_auth and --skip_external_kerberos_auth
to disable Kerberos authentication for incoming connections even if
--principal is set. The daemon does a kinit and keeps tickets
up-to-date with the background thread even if kerberos is disabled
for all incoming connections.

Behaviour only changes when those flags are toggled.

The change required restructuring the code a bit, specifically
pulling the call to InitKerberosForServer() out of
SecureAuthProvider, which I think is a net improvement that makes
the control flow clearer.

Testing:
Add unit tests to:
* confirm that the kinit occurs even with auth disabled.
* confirm that incoming KRPC connections do not require authentication.

I would have liked to add automated tests for thrift interfaces but did
not have the infrastructure to unit-test it. I think the changes I made
are fairly low risk because they do not increase the number of code paths
in AuthManager::Init() and can be verified by inspection. The tests I
would have liked to add are:
* confirm that incoming external connections do not require auth
* confirm that internal thrift connections do not require auth.

Manually started kerberized minicluster with internal/external kerberos
disabled, e.g. with the command line:

  start-impala-cluster.py
      --impalad_args=--skip_external_kerberos_auth=true
      --impalad_args=--skip_internal_kerberos_auth=true
      --state_store_args=--skip_internal_kerberos_auth=true
      --catalogd_args=--skip_internal_kerberos_auth=true

Confirmed that impala-shell connected without -k when
--skip_external_kerberos_auth=true and requires -k otherwise.
Confirmed that we could run queries against HDFS tables even
with internal and external auth disabled. Checked logs to see
that tickets were reacquired.

  I0303 08:33:49.319911 16079 init.cc:303] Successfully reacquired a new kerberos TGT

Tested that a partially kerberised minicluster worked as expected, i.e.
that impalad <-> catalog/statestore connections can have auth disabled
so that the impalad can authenticate even if it does not have the right
principal set. The first start-impala-cluster.py command below succeeds
but the second and third fail because they cannot authenticate with the
catalog and statestore respectively because the processes did not kinit
as the impala principal.

  kinit -kt impala.keytab tarmstrong/localhost@EXAMPLE.COM
  start-impala-cluster.py --impalad_args='--principal="" --be_principal=""
      --keytab_file="" --krb5_ccname="/tmp/krb5cc_1000"'
      --state_store_args=--skip_internal_kerberos_auth=true
      --catalogd_args=--skip_internal_kerberos_auth=true
  kinit -kt impala.keytab tarmstrong/localhost@EXAMPLE.COM
  start-impala-cluster.py --impalad_args='--principal="" --be_principal=""
      --keytab_file="" --krb5_ccname="/tmp/krb5cc_1000"'
      --state_store_args=--skip_internal_kerberos_auth=false
      --catalogd_args=--skip_internal_kerberos_auth=true
  kinit -kt impala.keytab tarmstrong/localhost@EXAMPLE.COM
  start-impala-cluster.py --impalad_args='--principal="" --be_principal=""
      --keytab_file="" --krb5_ccname="/tmp/krb5cc_1000"'
      --state_store_args=--skip_internal_kerberos_auth=false
      --catalogd_args=--skip_internal_kerberos_auth=true

Change-Id: I3b1c641e05e588287e4d9d9cd8389d96fc71cf74
Reviewed-on: http://gerrit.cloudera.org:8080/15351
Reviewed-by: Tim Armstrong <ta...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>

> Allow disabling kerberos for incoming internal and external connections even if --principal is set
> --------------------------------------------------------------------------------------------------
>
>                 Key: IMPALA-9456
>                 URL: https://issues.apache.org/jira/browse/IMPALA-9456
>             Project: IMPALA
>          Issue Type: Improvement
>          Components: Backend
>            Reporter: Tim Armstrong
>            Assignee: Tim Armstrong
>            Priority: Major
>              Labels: kerberos, security
>             Fix For: Impala 3.4.0
>
>
> This would be useful in cases where we need to talk to kerberized services (HMS, etc) and want to keep our TGT up to date using Impala's kinit infrastructure, but don't want to kerberize all connections.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org