Repository: impala
Updated Branches:
  refs/heads/2.x 68f843785 -> 70980adec

IMPALA-6477: rpc-mgr-kerberized-test fails on CentOS 6.4

On systems that have Kerberos 1.11 or earlier, service principals with
IP addresses are not supported due to a bug:

Since our BE tests use such principals, they fail on older platforms with the
above mentioned kerberos versions.

Kudu fixed this by adding a workaround which overrides krb5_realm_override.

We realized that even though this is linked correctly on older platforms, it 
not turn on until the KUDU_ENABLE_KRB5_REALM_FIX environment variable is set.

This patch sets it only for tests. We DO NOT enable this workaround for live
clusters. The reasoning is that if a user of Impala is using an older
version of kerberos that has a known bug of not being able to handle
numeric IP addresses, then it's not on Impala to fix that issue. We allow
it for tests because we want to be able to run our tests on multiple

Change-Id: I7227551aabd1ef4f8e8608fefb74293f9f763e13
Reviewed-by: Sailesh Mukil <>
Tested-by: Impala Public Jenkins


Branch: refs/heads/2.x
Commit: 70980adec39593e76d9a8022cd9abaf9f2105335
Parents: ceaef08
Author: Sailesh Mukil <>
Authored: Tue Mar 6 14:24:10 2018 -0800
Committer: Impala Public Jenkins <>
Committed: Wed Mar 7 23:14:39 2018 +0000

 be/src/rpc/ | 4 ++--
 be/src/testutil/   | 3 +++
 2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/be/src/rpc/ 
index bb4b9db..6244c2d 100644
--- a/be/src/rpc/
+++ b/be/src/rpc/
@@ -53,10 +53,10 @@ class RpcMgrKerberizedTest :
 // TODO: IMPALA-6477: This test breaks on CentOS 6.4. Re-enable after a fix.
-                                          USE_IMPALA_KERBEROS));*/
+                                          USE_IMPALA_KERBEROS));
 TEST_P(RpcMgrKerberizedTest, MultipleServicesTls) {
   // TODO: We're starting a seperate RpcMgr here instead of configuring
diff --git a/be/src/testutil/ 
index d378ea4..eb9d9f1 100644
--- a/be/src/testutil/
+++ b/be/src/testutil/
@@ -66,6 +66,9 @@ Status MiniKdcWrapper::CreateServiceKeytab(const string& spn, 
string* kt_path) {
 Status MiniKdcWrapper::SetupAndStartMiniKDC(KerberosSwitch k) {
   if (k != KERBEROS_OFF) {
+    // Enable the workaround for MIT krb5 1.10 bugs from
+    setenv("KUDU_ENABLE_KRB5_REALM_FIX", "true", 0);
     FLAGS_use_kudu_kinit = k == USE_KUDU_KERBEROS;
     // Check if the unique directory already exists, and create it if it 

Reply via email to