You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "Tim Armstrong (JIRA)" <ji...@apache.org> on 2018/10/26 23:31:00 UTC

[jira] [Commented] (IMPALA-6859) De-templatize RpcMgrTestBase

    [ https://issues.apache.org/jira/browse/IMPALA-6859?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16665757#comment-16665757 ] 

Tim Armstrong commented on IMPALA-6859:
---------------------------------------

Fixed by



 commit 5c541b960491ba91533712144599fb3b6d99521d
Author: Michael Ho <kw...@cloudera.com>
Date:   Thu Aug 23 00:33:16 2018 -0700

    Add missing authorization in KRPC
    
    In 2.12.0, Impala adopted Kudu RPC library for certain backened services
    (TransmitData(), EndDataStream()). While the implementation uses Kerberos
    for authenticating users connecting to the backend services, there is no
    authorization implemented. This is a regression from the Thrift based
    implementation because it registered a SASL callback (SaslAuthorizeInternal)
    to be invoked during the connection negotiation. With this regression,
    an unauthorized but authenticated user may invoke RPC calls to Impala backend
    services.
    
    This change fixes the issue above by overriding the default authorization method
    for the DataStreamService. The authorization method will only let authenticated
    principal which matches FLAGS_principal / FLAGS_be_principal to access the service.
    Also added a new startup flag --krb5_ccname to allow users to customize the locations
    of the Kerberos credentials cache.
    
    Testing done:
    1. Added a new test case in rpc-mgr-kerberized-test.cc to confirm an unauthorized
    user is not allowed to access the service.
    2. Ran some queries in a Kerberos enabled cluster to make sure there is no error.
    3. Exhaustive builds.
    
    Thanks to Todd Lipcon for pointing out the problem and his guidance on the fix.
    
    Change-Id: I2f82dee5e721f2ed23e75fd91abbc6ab7addd4c5
    Reviewed-on: http://gerrit.cloudera.org:8080/11331
    Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
    Tested-by: Impala Public Jenkins <im...@cloudera.com>


> De-templatize RpcMgrTestBase
> ----------------------------
>
>                 Key: IMPALA-6859
>                 URL: https://issues.apache.org/jira/browse/IMPALA-6859
>             Project: IMPALA
>          Issue Type: Task
>          Components: Backend
>    Affects Versions: Impala 3.0
>            Reporter: Sailesh Mukil
>            Assignee: Michael Ho
>            Priority: Major
>              Labels: security, test
>             Fix For: Impala 3.1.0
>
>
> Now that we've gotten rid of the old way of Kinit-ing (IMPALA-5893), we can detemplatize RpcMgrTestBase, since there's only one option to run the kerberos tests with.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org