This is an automated email from the ASF dual-hosted git repository.
csringhofer pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/impala.git
The following commit(s) were added to refs/heads/master by this push:
new 98f15044a IMPALA-13746: Fix long ldap password handling in
impala-shell+hs2-http
98f15044a is described below
commit 98f15044a14bcb21cb28e1482f3693c19c659241
Author: Csaba Ringhofer <[email protected]>
AuthorDate: Mon Apr 14 15:58:20 2025 +0200
IMPALA-13746: Fix long ldap password handling in impala-shell+hs2-http
Before this patch impala-shell inserted a \n char after every 76 bytes.
The fix is to switch to a different function for encoding. The exact
semantics of base64 functions is described in
https://docs.python.org/3/library/base64.html
Based on impyla fix https://github.com/cloudera/impyla/pull/562 by
https://github.com/paulmayer (released in Impyla 0.21a3)
Change-Id: I4d73d682cf2d1843d9801ef71b99d551b79deb19
Reviewed-on: http://gerrit.cloudera.org:8080/22780
Reviewed-by: Csaba Ringhofer <[email protected]>
Tested-by: Csaba Ringhofer <[email protected]>
---
.../org/apache/impala/customcluster/LdapImpalaShellTest.java | 11 +++++++++++
fe/src/test/java/org/apache/impala/testutil/LdapUtil.java | 4 ++++
fe/src/test/resources/users.ldif | 12 +++++++++++-
shell/impala_client.py | 10 +++++-----
4 files changed, 31 insertions(+), 6 deletions(-)
diff --git
a/fe/src/test/java/org/apache/impala/customcluster/LdapImpalaShellTest.java
b/fe/src/test/java/org/apache/impala/customcluster/LdapImpalaShellTest.java
index c950d4519..bc301010d 100644
--- a/fe/src/test/java/org/apache/impala/customcluster/LdapImpalaShellTest.java
+++ b/fe/src/test/java/org/apache/impala/customcluster/LdapImpalaShellTest.java
@@ -171,6 +171,12 @@ public class LdapImpalaShellTest {
// 6. Without username and password. Should fail.
String[] commandWithoutAuth = {
"impala-shell.sh", "", String.format("--query=%s", query)};
+ // 7. Valid username with long password to trigger IMPALA-13746. Should
succeed.
+ String[] validCommandLongPsw = {"impala-shell.sh", "", "--ldap",
+ "--auth_creds_ok_in_clear", "--verbose",
+ String.format("--user=%s", TEST_USER_LONG_PSW),
+ String.format("--ldap_password_cmd=printf %s", TEST_PASSWORD_LONG),
+ String.format("--query=%s", query)};
String protocolTemplate = "--protocol=%s";
// Sorted list of cookies for validCommand, where all cookies are
preserved.
@@ -228,6 +234,11 @@ public class LdapImpalaShellTest {
commandWithoutAuth[1] = protocol;
RunShellCommand.Run(
commandWithoutAuth, /*shouldSucceed*/ false, "", "Not connected to
Impala");
+
+ validCommandLongPsw[1] = protocol;
+ RunShellCommand.Run(validCommandLongPsw,
+ /*shouldSucceed*/ true, TEST_USER_LONG_PSW,
+ "Starting Impala Shell with LDAP-based authentication");
}
}
diff --git a/fe/src/test/java/org/apache/impala/testutil/LdapUtil.java
b/fe/src/test/java/org/apache/impala/testutil/LdapUtil.java
index 1df057957..170fe238d 100644
--- a/fe/src/test/java/org/apache/impala/testutil/LdapUtil.java
+++ b/fe/src/test/java/org/apache/impala/testutil/LdapUtil.java
@@ -40,6 +40,10 @@ public class LdapUtil {
public static final String TEST_USER_7 = "Test7Ldap";
+ public static final String TEST_USER_LONG_PSW = "TestLdapLongPsw";
+ public static final String TEST_PASSWORD_LONG =
+ "verylongpasswordthatcreatesalongbasic64encoding";
+
// TEST_USER_1 and TEST_USER_2 are members of this group.
public static final String TEST_USER_GROUP = "group1";
diff --git a/fe/src/test/resources/users.ldif b/fe/src/test/resources/users.ldif
index c1787ef1b..dfb2195ea 100644
--- a/fe/src/test/resources/users.ldif
+++ b/fe/src/test/resources/users.ldif
@@ -102,4 +102,14 @@ dn: cn=group2,ou=Groups,dc=myorg,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: group2
-uniqueMember: cn=Test1Ldap,ou=Users,dc=myorg,dc=com
\ No newline at end of file
+uniqueMember: cn=Test1Ldap,ou=Users,dc=myorg,dc=com
+
+dn: cn=TestLdapLongPsw,ou=Users,dc=myorg,dc=com
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+cn: TestLdapLongPsw
+sn: Ldap
+uid: estldaplongpsw
+userPassword: verylongpasswordthatcreatesalongbasic64encoding
diff --git a/shell/impala_client.py b/shell/impala_client.py
index 96b2554c7..8e2c2d1f6 100755
--- a/shell/impala_client.py
+++ b/shell/impala_client.py
@@ -436,11 +436,11 @@ class ImpalaClient(object):
if self.use_ldap:
# Set the BASIC authorization
user_passwd = "{0}:{1}".format(self.user, self.ldap_password)
- if sys.version_info.major < 3 or \
- sys.version_info.major == 3 and sys.version_info.minor == 0:
- auth = base64.encodestring(user_passwd.encode()).decode().strip('\n')
- else:
- auth = base64.encodebytes(user_passwd.encode()).decode().strip('\n')
+ # Produce RFC 2617-compliant basic credentials:
+ # - RFC 2045 encoding of username:password without limitations to 76
chars
+ # per line (and without trailing newline)
+ # - No translation of characters (+,/) for URL-safety
+ auth = base64.b64encode(user_passwd.encode()).decode()
transport.setLdapAuth(auth)
elif self.jwt is not None:
transport.setJwtAuth(self.jwt)
