You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues-all@impala.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2019/08/17 04:15:00 UTC

[jira] [Commented] (IMPALA-8868) HTTP 401 response is wrong when both kerberos and ldap are enabled

    [ https://issues.apache.org/jira/browse/IMPALA-8868?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16909569#comment-16909569 ] 

ASF subversion and git services commented on IMPALA-8868:
---------------------------------------------------------

Commit 46976ba4c1d7157d6fda36dbfc2ca9b3d7174a28 in impala's branch refs/heads/master from Thomas Tauber-Marshall
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=46976ba ]

IMPALA-8868: Fix 401 response when LDAP and Kerberos are enabled

When both kerberos and ldap auth are enabled and an http request is
not successfully authenticated, THttpServer only sends the
'WWW-Authenticate: Basic' challenge and doesn't send the
'WWW-Authenticate: Negotiate' challenge, which can cause clients that
want to connect with kerberos to fail to authenticate.

This patch fixes this to send both challenges.

Testing:
- Manually tested in a cluster with both Kerberos and LDAP enabled on
  Impala with connections proxied through Apache Knox, which would
  previously fail.

Change-Id: I138f33783bfd0f8f9b8db242589a9cc75cfd392a
Reviewed-on: http://gerrit.cloudera.org:8080/14077
Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>


> HTTP 401 response is wrong when both kerberos and ldap are enabled
> ------------------------------------------------------------------
>
>                 Key: IMPALA-8868
>                 URL: https://issues.apache.org/jira/browse/IMPALA-8868
>             Project: IMPALA
>          Issue Type: Bug
>    Affects Versions: Impala 3.3.0
>            Reporter: Thomas Tauber-Marshall
>            Assignee: Thomas Tauber-Marshall
>            Priority: Blocker
>
> When both kerberos and ldap auth are enabled and an http request is not successfully authenticated, the THttpServer only sends the 'WWW-Authenticate: Basic' challenge and doesn't send the 'WWW-Authenticate: Negotiate' challenge, which can cause clients that want to connect with kerberos to fail to authenticate.



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org