You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@impala.apache.org by ta...@apache.org on 2019/08/17 04:14:29 UTC
[impala] branch master updated (8c5ea90 -> 46976ba)
This is an automated email from the ASF dual-hosted git repository.
tarmstrong pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/impala.git.
from 8c5ea90 IMPALA-8836: Support COMPUTE STATS on insert only ACID tables
new c37f177 IMPALA-8871: Upgrade Thrift version in fe
new 46976ba IMPALA-8868: Fix 401 response when LDAP and Kerberos are enabled
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
be/src/transport/THttpServer.cpp | 15 ++++++++++-----
impala-parent/pom.xml | 2 +-
2 files changed, 11 insertions(+), 6 deletions(-)
[impala] 01/02: IMPALA-8871: Upgrade Thrift version in fe
Posted by ta...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
tarmstrong pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/impala.git
commit c37f17732edcb1740941d8c2dc8ad289d8d11898
Author: stakiar <ta...@gmail.com>
AuthorDate: Wed Feb 13 11:43:45 2019 -0600
IMPALA-8871: Upgrade Thrift version in fe
Upgrade fe/ Thrift version to 0.9.3-1.
Testing:
* Ran exhaustive tests.
* Ran perf-AB-test, which showed no significant perf difference.
Change-Id: If62e6330f0a725ebd4213c200656fc12a0eccf06
Reviewed-on: http://gerrit.cloudera.org:8080/14084
Reviewed-by: Tim Armstrong <ta...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>
---
impala-parent/pom.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/impala-parent/pom.xml b/impala-parent/pom.xml
index ab1dbb3..cb77741 100644
--- a/impala-parent/pom.xml
+++ b/impala-parent/pom.xml
@@ -41,7 +41,7 @@ under the License.
<parquet.version>${env.IMPALA_PARQUET_VERSION}</parquet.version>
<kite.version>${env.IMPALA_KITE_VERSION}</kite.version>
<knox.version>${env.IMPALA_KNOX_VERSION}</knox.version>
- <thrift.version>0.9.3</thrift.version>
+ <thrift.version>0.9.3-1</thrift.version>
<impala.extdatasrc.api.version>1.0-SNAPSHOT</impala.extdatasrc.api.version>
<impala.query.event.hook.api.version>1.0-SNAPSHOT</impala.query.event.hook.api.version>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
[impala] 02/02: IMPALA-8868: Fix 401 response when LDAP and
Kerberos are enabled
Posted by ta...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
tarmstrong pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/impala.git
commit 46976ba4c1d7157d6fda36dbfc2ca9b3d7174a28
Author: Thomas Tauber-Marshall <tm...@cloudera.com>
AuthorDate: Thu Aug 15 12:03:20 2019 -0700
IMPALA-8868: Fix 401 response when LDAP and Kerberos are enabled
When both kerberos and ldap auth are enabled and an http request is
not successfully authenticated, THttpServer only sends the
'WWW-Authenticate: Basic' challenge and doesn't send the
'WWW-Authenticate: Negotiate' challenge, which can cause clients that
want to connect with kerberos to fail to authenticate.
This patch fixes this to send both challenges.
Testing:
- Manually tested in a cluster with both Kerberos and LDAP enabled on
Impala with connections proxied through Apache Knox, which would
previously fail.
Change-Id: I138f33783bfd0f8f9b8db242589a9cc75cfd392a
Reviewed-on: http://gerrit.cloudera.org:8080/14077
Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>
---
be/src/transport/THttpServer.cpp | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/be/src/transport/THttpServer.cpp b/be/src/transport/THttpServer.cpp
index fb2ff11..8db0a1c 100644
--- a/be/src/transport/THttpServer.cpp
+++ b/be/src/transport/THttpServer.cpp
@@ -170,11 +170,15 @@ void THttpServer::headersDone() {
// Determine what type of auth header we got.
StripWhiteSpace(&auth_value_);
- string basic_auth_token;
- bool got_basic_auth = TryStripPrefixString(auth_value_, "Basic ", &basic_auth_token);
- string negotiate_auth_token;
+ string stripped_basic_auth_token;
+ bool got_basic_auth =
+ TryStripPrefixString(auth_value_, "Basic ", &stripped_basic_auth_token);
+ string basic_auth_token = got_basic_auth ? move(stripped_basic_auth_token) : "";
+ string stripped_negotiate_auth_token;
bool got_negotiate_auth =
- TryStripPrefixString(auth_value_, "Negotiate ", &negotiate_auth_token);
+ TryStripPrefixString(auth_value_, "Negotiate ", &stripped_negotiate_auth_token);
+ string negotiate_auth_token =
+ got_negotiate_auth ? move(stripped_negotiate_auth_token) : "";
// We can only have gotten one type of auth header.
DCHECK(!got_basic_auth || !got_negotiate_auth);
@@ -192,7 +196,8 @@ void THttpServer::headersDone() {
} else {
if (got_basic_auth && metrics_enabled_) total_basic_auth_failure_->Increment(1);
}
- } else if (has_kerberos_ && (!got_basic_auth || !has_ldap_)) {
+ }
+ if (has_kerberos_ && (!got_basic_auth || !has_ldap_)) {
bool is_complete;
if (callbacks_.negotiate_auth_fn(negotiate_auth_token, &is_complete)) {
// If 'is_complete' is false we want to return a 401.