You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2023/03/12 23:56:00 UTC

[jira] [Commented] (IMPALA-11726) Allow LDAP user and group filter when kerberos is enabled

    [ https://issues.apache.org/jira/browse/IMPALA-11726?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17699409#comment-17699409 ] 

ASF subversion and git services commented on IMPALA-11726:
----------------------------------------------------------

Commit 490dd7b1151881f91d339b61104c35e59fb61814 in impala's branch refs/heads/master from Gergely Farkas
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=490dd7b11 ]

IMPALA-11726: Allow LDAP user and group filter when Kerberos is enabled

This change does two things for the Kerberos authentication support
for impala clients:

1) Introduces allow_custom_ldap_filters_with_kerberos_auth flag,
which removes the restriction that prevents to use LDAP group/user
search filters when Kerberos authentication is enabled. When the flag
is set both Kerberos and LDAP can work with impala clients
(impala-shell, jdbc, odbc, impyla) even if the group/user filters are
defined. The flag default value is false, which ensures backwards
compatibility.

2) Introduces enable_group_filter_check_for_authenticated_kerberos_user
flag, which allows group filters to be applied for non-proxy users
that belong to the authenticated Kerberos principals.
The verified username comes from the Kerberos principal: The username
is the first member of the authenticated Kerberos principal, where the
principal can be username/host@realm or username@realm.
Regardless of whether the flag is enabled or not, LDAP filters are not
applied for authorized proxy users (neither when using LDAP nor when
using Kerberos authentication). In case of delegation, filters are
applied for delegated users.
This flag makes sense if Kerberos and LDAP authentication is enabled
and the users in the KDC and LDAP are synchronized (e.g. Active
Directory provides both LDAP and Kerberos authentication).
The flag default value is false, which ensures backwards compatibility.

Notes:

If the allow_custom_ldap_filters_with_kerberos_auth flag is disabled,
it is still possible to use LDAP and Kerberos authentication together,
but in a limited way: Only LDAP search bind authentication mode can be
used, where there are default user and group search filters (that are
defined for Active Directory LDAP schema). One major limitation here
- apart from the AD directory schema assumed in the default filters -
is that the only possibility to control user access is to select the
appropriate user and group search base dn (e.g. granting LDAP access
to users/groups defined in a given subtree)
Even in this edge case, it is still allowed to enable the
enable_group_filter_check_for_authenticated_kerberos_user flag. If this
happens, then the default filters in LDAP search bind will be applied
for Kerberos authenticated non-proxy users.

Another edge case where the LDAP authentication is enabled, the
user access is controlled by custom LDAP filters (LDAP auth only),
and the external Kerberos authentication is also enabled, but the users
in KDC and LDAP are not in sync:
In this case the allow_custom_ldap_filters_with_kerberos_auth flag must
be set, but enable_group_filter_check_for_authenticated_kerberos_user
flag should be disabled, otherwise an unauthorized response may be
received during Kerberos authentication (depending on whether the
authenticated Kerberos user passes the custom LDAP filters or not).
In such cases, access to Kerberos users must be controlled by other
ways (e.g. within FreeIPA KDC with host-based access control rules).

Tests:
- New unit test created to check the behavior of AuthManager with
  and without allow_custom_ldap_filters_with_kerberos_auth flag.
- New custom cluster tests created:
  - impala-shell tests that validate existing LDAP search bind
    and simple bind functionality with Kerberos authentication
    enabled (LdapSearchBindImpalaShellTest and
    LdapSimpleBindImpalaShellTest suites are now parameterized),
  - impala-shell tests that validate backwards compatibility
    when allow_custom_ldap_filters_with_kerberos_auth flag and
    enable_group_filter_check_for_authenticated_kerberos_user
    flags are disabled
    (LdapSearchBindDefaultFiltersKerberosImpalaShellTest)
  - various impala-shell tests that validate Kerberos
    authentication in an environment where LDAP authentication
    is also enabled (LdapKerberosImpalaShellTest)
- Manual tests with a snapshot build in CDP PVC DS with LDAP and
  Kerberos authentication enabled, user and group filters provided.

Change-Id: If3ca9c4ff8a17167e5233afabdd14c948edb46de
Reviewed-on: http://gerrit.cloudera.org:8080/19561
Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>


> Allow LDAP user and group filter when kerberos is enabled
> ---------------------------------------------------------
>
>                 Key: IMPALA-11726
>                 URL: https://issues.apache.org/jira/browse/IMPALA-11726
>             Project: IMPALA
>          Issue Type: Improvement
>            Reporter: Attila Kreiner
>            Assignee: Gergely Farkas
>            Priority: Major
>              Labels: 2023Q1
>
> Remove the restriction that prevents to use LDAP group/user search filters when kerberos authentication is enabled, so both kerberos and LDAP can work with impala-shell.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org