You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "Tim Armstrong (Jira)" <ji...@apache.org> on 2020/03/12 04:50:00 UTC
[jira] [Resolved] (IMPALA-9430) Kerberos configs should be passed
through to Kerberos libraries even if principal is not set
[ https://issues.apache.org/jira/browse/IMPALA-9430?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tim Armstrong resolved IMPALA-9430.
-----------------------------------
Fix Version/s: Impala 3.4.0
Resolution: Fixed
> Kerberos configs should be passed through to Kerberos libraries even if principal is not set
> --------------------------------------------------------------------------------------------
>
> Key: IMPALA-9430
> URL: https://issues.apache.org/jira/browse/IMPALA-9430
> Project: IMPALA
> Issue Type: Improvement
> Components: Backend
> Reporter: Tim Armstrong
> Assignee: Tim Armstrong
> Priority: Major
> Labels: kerberos, security
> Fix For: Impala 3.4.0
>
>
> InitKerberosEnv() configures native and JDK kerberos implementations based on command-line flags: https://github.com/apache/impala/blob/d1b42c836c3458a2ef3662c0b0b1fd8fbf8f2baf/be/src/rpc/authentication.cc#L866 . It only does this when --principal is set.
> It's possible that Impala can be set up to use kerberos to communicate with some external services, e.g. HMS or Hive, even if --principal is not set, since those clients read in config XML files that are independent of the Impala flags. This isn't a recommended configuration and requires a fair bit of expertise to get right, but I think it's very surprising that the configs *don't* get passed through in the case. The documentation doesn't mention this behaviour.
> The suggested change here is to apply the config changes independent of the value of --principal. It should be a noop if kerberos is not configured for any services.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org