You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@impala.apache.org by ar...@apache.org on 2019/02/09 01:49:06 UTC

[impala] 02/05: IMPALA-8154: Disable Kerberos auth_to_local setting

This is an automated email from the ASF dual-hosted git repository.

arodoni pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/impala.git

commit bf96eb30a2b96a945fc7c10716252ea37dc665f5
Author: Michael Ho <kw...@cloudera.com>
AuthorDate: Thu Feb 7 11:48:27 2019 -0800

    IMPALA-8154: Disable Kerberos auth_to_local setting
    
    Before KRPC, the local name mapping was done from the principal name entirely.
    With KRPC, Impala started to use the system auth_to_local rules as the Kudu
    security code has "--use_system_auth_to_local=true" by default. This can cause
    regression if local auth is configured in the krb5.conf (e.g. with  SSSD with AD)
    as we started enforcing authorization based on Kerberos principal after this
    commit (https://github.com/apache/impala/commit/5c541b960491ba91533712144599fb3b6d99521d)
    
    This change fixes the problem by explicitly setting FLAGS_use_system_auth_to_local
    to false during initialization.
    
    Testing done: Enabled auth_to_local in a Kerberized cluster to map "impala/<hostname>"
    to foobar and verified queries still worked as expected.
    
    Change-Id: I0b0ad79b56cd5cdd3108c6f973e71a9416efbac8
    Reviewed-on: http://gerrit.cloudera.org:8080/12405
    Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
    Tested-by: Impala Public Jenkins <im...@cloudera.com>
---
 be/src/rpc/authentication.cc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/be/src/rpc/authentication.cc b/be/src/rpc/authentication.cc
index 0b5b5d9..072ccdf 100644
--- a/be/src/rpc/authentication.cc
+++ b/be/src/rpc/authentication.cc
@@ -72,6 +72,9 @@ DECLARE_string(krb5_ccname);
 DECLARE_string(krb5_conf);
 DECLARE_string(krb5_debug_file);
 
+// Defined in kudu/security/init.cc
+DECLARE_bool(use_system_auth_to_local);
+
 DEFINE_string(sasl_path, "", "Colon separated list of paths to look for SASL "
     "security library plugins.");
 DEFINE_bool(enable_ldap_auth, false,
@@ -784,6 +787,8 @@ Status SaslAuthProvider::Start() {
   if (needs_kinit_) {
     DCHECK(is_internal_);
     DCHECK(!principal_.empty());
+    // IMPALA-8154: Disable any Kerberos auth_to_local mappings.
+    FLAGS_use_system_auth_to_local = false;
     // Starts a thread that periodically does a 'kinit'. The thread lives as long as the
     // process does.
     KUDU_RETURN_IF_ERROR(kudu::security::InitKerberosForServer(principal_, keytab_file_,