You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues-all@impala.apache.org by "Sailesh Mukil (JIRA)" <ji...@apache.org> on 2018/08/10 00:43:00 UTC

[jira] [Commented] (IMPALA-4978) Impala should set the kerberos principal to the FQDN

    [ https://issues.apache.org/jira/browse/IMPALA-4978?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16575612#comment-16575612 ] 

Sailesh Mukil commented on IMPALA-4978:
---------------------------------------

https://github.com/apache/impala/blob/3e17705ecaba0b6ab9ae929e6c7c409e0b6aea1d/be/src/rpc/authentication.cc#L787-L788

We already do this now since we get the principal from the Kudu security code, which already tries to get the FQDN. We should do the same here however:
https://github.com/apache/impala/blob/3e17705ecaba0b6ab9ae929e6c7c409e0b6aea1d/be/src/rpc/authentication.cc#L814

And also make sure that our process wide hostname flag (FLAGS_hostname) has the same value:
https://github.com/apache/impala/blob/7f9a74ffcaf1818f1f3c9d427557acca21a627da/be/src/common/init.cc#L191

> Impala should set the kerberos principal to the FQDN
> ----------------------------------------------------
>
>                 Key: IMPALA-4978
>                 URL: https://issues.apache.org/jira/browse/IMPALA-4978
>             Project: IMPALA
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: Impala 2.3.0
>            Reporter: Sailesh Mukil
>            Assignee: Sailesh Mukil
>            Priority: Major
>              Labels: security
>
> Impala calls gethostname() to get the local system's name which is used as a part of the kerberos principal. This usually works fine under most settings, however, this is not guaranteed to return the FQDN of the host under certain settings (Eg: possibly while using a DNS GSLB).
> Impala should attempt to get the FQDN first which can be obtained by using getaddrinfo(), and fallback to gethostname() otherwise. This is the behavior of Hadoop, which we should try to match as closely as possible:
> https://github.com/apache/hadoop/blob/master/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SecurityUtil.java#L169



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org