Repository: incubator-impala
Updated Branches:
refs/heads/master 84b8155cc -> f51c4435c
IMPALA-4669: [SECURITY] Add security library to build
* Minor compilation fix
* Add krb5 as a non-toolchain dependency
* Handle legacy versions of libkrb5.so by providing implementation of
krb5_is_config_principal().
* Link against openssl from the toolchain if 1.0.0 or higher not found
on build machine.
* Update LICENSE.txt and NOTICE.txt re: OpenSSL code in x509_check_host.{h,c}.
Change-Id: I4f327810066bee7f3ac107b0295480fb9ed45e14
Reviewed-on: http://gerrit.cloudera.org:8080/5717
Reviewed-by: Henry Robinson <[email protected]>
Tested-by: Henry Robinson <[email protected]>
Project: http://git-wip-us.apache.org/repos/asf/incubator-impala/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-impala/commit/f51c4435
Tree: http://git-wip-us.apache.org/repos/asf/incubator-impala/tree/f51c4435
Diff: http://git-wip-us.apache.org/repos/asf/incubator-impala/diff/f51c4435
Branch: refs/heads/master
Commit: f51c4435c9b9ce04e5476d7b54f442e8b72db878
Parents: 84b8155
Author: Henry Robinson <[email protected]>
Authored: Fri Jan 13 03:29:53 2017 -0800
Committer: Henry Robinson <[email protected]>
Committed: Tue Aug 15 00:47:26 2017 +0000
----------------------------------------------------------------------
CMakeLists.txt | 28 ++++++++++++++---
NOTICE.txt | 7 +++++
be/CMakeLists.txt | 11 +++++++
be/src/common/config.h.in | 2 ++
be/src/kudu/security/init.cc | 48 +++++++++++++++++++++++------
be/src/kudu/security/token_verifier.cc | 3 +-
bin/bootstrap_build.sh | 2 +-
cmake_modules/FindKerberos.cmake | 9 ++++--
8 files changed, 92 insertions(+), 18 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/f51c4435/CMakeLists.txt
----------------------------------------------------------------------
diff --git a/CMakeLists.txt b/CMakeLists.txt
index e31e98f..63e5d43 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -95,9 +95,6 @@ set_dep_root(RAPIDJSON)
set_dep_root(SNAPPY)
set_dep_root(THRIFT)
set_dep_root(ZLIB)
-if (APPLE)
- set_dep_root(OPENSSL)
-endif()
# The boost-cmake project hasn't been maintained for years. Let's make sure we
# don't accidentally use it if it can be found.
@@ -151,7 +148,23 @@ include_directories(${Boost_INCLUDE_DIRS})
message(STATUS "Boost include dir: " ${Boost_INCLUDE_DIRS})
message(STATUS "Boost libraries: " ${Boost_LIBRARIES})
-find_package(OpenSSL REQUIRED)
+# If at all possible, try to link with system OpenSSL in an attempt to match
what the
+# platform that this build might ultimately be deployed on. If no suitable
OpenSSL is
+# found, use the toolchain version - but beware that Impala will then fail to
start if
+# deployed on a system with a lower version.
+find_package(OpenSSL 1.0.0 QUIET)
+if (NOT ${OPENSSL_FOUND})
+ set_dep_root(OPENSSL)
+ set(OPENSSL_FOUND ON)
+ set(OPENSSL_INCLUDE_DIR ${OPENSSL_ROOT}/include)
+ set(OPENSSL_SSL_LIBRARY ${OPENSSL_ROOT}/lib/libssl.so)
+ set(OPENSSL_CRYPTO_LIBRARY ${OPENSSL_ROOT}/lib/libcrypto.so)
+ set(OPENSSL_VERSION $ENV{IMPALA_OPENSSL_VERSION})
+ message(STATUS "System OpenSSL not found. Defaulting to toolchain version in"
+ " ${OPENSSL_ROOT_DIR}")
+endif()
+
+# OpenSSL, being a security dependency, is always dynamically linked.
IMPALA_ADD_THIRDPARTY_LIB(openssl_ssl ${OPENSSL_INCLUDE_DIR} ""
${OPENSSL_SSL_LIBRARY})
IMPALA_ADD_THIRDPARTY_LIB(openssl_crypto "" "" ${OPENSSL_CRYPTO_LIBRARY})
@@ -281,6 +294,13 @@ find_package(Breakpad REQUIRED)
IMPALA_ADD_THIRDPARTY_LIB(breakpad_client ${BREAKPAD_INCLUDE_DIR}
${BREAKPAD_STATIC_LIB}
"")
+# Be careful with Kerberos: we do not statically link against it as it is a
security
+# dependency.
+find_package(Kerberos REQUIRED)
+IMPALA_ADD_THIRDPARTY_LIB(krb5 ${KERBEROS_INCLUDE_DIR} "" ${KERBEROS_LIBRARY})
+
+###################################################################
+
# System dependencies
if (NOT APPLE)
find_library(RT_LIB_PATH rt)
http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/f51c4435/NOTICE.txt
----------------------------------------------------------------------
diff --git a/NOTICE.txt b/NOTICE.txt
index 6feed69..a46294a 100644
--- a/NOTICE.txt
+++ b/NOTICE.txt
@@ -6,3 +6,10 @@ The Apache Software Foundation (http://www.apache.org/).
Portions of this software were developed at
Cloudera, Inc (http://www.cloudera.com/).
+
+This product includes software developed by the OpenSSL
+Project for use in the OpenSSL Toolkit (http://www.openssl.org/)
+
+This product includes cryptographic software written by Eric Young
+([email protected]). This product includes software written by Tim
+Hudson ([email protected]).
http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/f51c4435/be/CMakeLists.txt
----------------------------------------------------------------------
diff --git a/be/CMakeLists.txt b/be/CMakeLists.txt
index b0922b0..22c18b6 100644
--- a/be/CMakeLists.txt
+++ b/be/CMakeLists.txt
@@ -309,6 +309,12 @@ CHECK_FUNCTION_EXISTS(preadv HAVE_PREADV)
INCLUDE(CheckIncludeFiles)
CHECK_INCLUDE_FILES(linux/magic.h HAVE_MAGIC_H)
+include(CheckLibraryExists)
+CHECK_LIBRARY_EXISTS("krb5" krb5_is_config_principal
+ ${KERBEROS_LIBRARY} HAVE_KRB5_IS_CONFIG_PRINCIPAL)
+CHECK_LIBRARY_EXISTS("krb5" krb5_get_init_creds_opt_set_out_ccache
+ ${KERBEROS_LIBRARY} HAVE_KRB5_GET_INIT_CREDS_OPT_SET_OUT_CCACHE)
+
# This is a list of impala library dependencies. Individual libraries
# must not specify library dependencies in their own CMakeLists.txt file.
# Enclose the impala libraries in -Wl,--start-group and -Wl,--end-group
@@ -337,10 +343,12 @@ set (IMPALA_LINK_LIBS
Rpc
Runtime
Scheduling
+ security
Service
Statestore
TestUtil
ThriftSaslTransport
+ token_proto
Udf
Util
${WL_END_GROUP}
@@ -358,6 +366,7 @@ if (BUILD_SHARED_LIBS)
Exprs
Rpc
Service
+ security
Statestore
Scheduling
Catalog
@@ -384,6 +393,7 @@ set (IMPALA_DEPENDENCIES
gutil
glog
gflags
+ krb5
pprof
breakpad_client
hdfs
@@ -490,6 +500,7 @@ add_subdirectory(src/codegen)
add_subdirectory(src/common)
add_subdirectory(src/exec)
add_subdirectory(src/exprs)
+add_subdirectory(src/kudu/security)
add_subdirectory(src/kudu/util)
add_subdirectory(src/runtime)
add_subdirectory(src/scheduling)
http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/f51c4435/be/src/common/config.h.in
----------------------------------------------------------------------
diff --git a/be/src/common/config.h.in b/be/src/common/config.h.in
index a33f2b9..8f638a9 100644
--- a/be/src/common/config.h.in
+++ b/be/src/common/config.h.in
@@ -27,5 +27,7 @@
#cmakedefine HAVE_PREADV
#cmakedefine HAVE_PIPE2
#cmakedefine HAVE_MAGIC_H
+#cmakedefine HAVE_KRB5_IS_CONFIG_PRINCIPAL
+#cmakedefine HAVE_KRB5_GET_INIT_CREDS_OPT_SET_OUT_CCACHE
#endif
http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/f51c4435/be/src/kudu/security/init.cc
----------------------------------------------------------------------
diff --git a/be/src/kudu/security/init.cc b/be/src/kudu/security/init.cc
index dfdb5cd..c9baeb4 100644
--- a/be/src/kudu/security/init.cc
+++ b/be/src/kudu/security/init.cc
@@ -37,15 +37,12 @@
#include "kudu/util/scoped_cleanup.h"
#include "kudu/util/thread.h"
-DEFINE_string(keytab_file, "",
- "Path to the Kerberos Keytab file for this server. Specifying a "
- "keytab file will cause the server to kinit, and enable Kerberos
"
- "to be used to authenticate RPC connections.");
+#include "common/config.h"
+
+DECLARE_string(keytab_file);
TAG_FLAG(keytab_file, stable);
-DEFINE_string(principal, "kudu/_HOST",
- "Kerberos principal that this daemon will log in as. The special
token "
- "_HOST will be replaced with the FQDN of the local host.");
+DECLARE_string(principal);
TAG_FLAG(principal, experimental);
// This is currently tagged as unsafe because there is no way for users to
configure
// clients to expect a non-default principal. As such, configuring a server to
login
@@ -218,6 +215,37 @@ int32_t KinitContext::GetBackedOffRenewInterval(int32_t
time_remaining, uint32_t
return static_cast<int32_t>(base_time * dist(generator));
}
+#ifndef HAVE_KRB5_IS_CONFIG_PRINCIPAL
+
+namespace {
+
+// Adapted from
+// https://github.com/krb5/krb5/blob/master/src/lib/krb5/ccache/ccfns.c#L248
+// available under MIT license.
+
+static const char conf_realm[] = "X-CACHECONF:";
+static const char conf_name[] = "krb5_ccache_conf_data";
+
+krb5_boolean krb5_is_config_principal(krb5_context context,
+ krb5_const_principal principal) {
+ const krb5_data *realm = &principal->realm;
+
+ if (realm->length != sizeof(conf_realm) - 1 ||
+ memcmp(realm->data, conf_realm, sizeof(conf_realm) - 1) != 0)
+ return FALSE;
+
+ if (principal->length == 0 ||
+ principal->data[0].length != (sizeof(conf_name) - 1) ||
+ memcmp(principal->data[0].data, conf_name, sizeof(conf_name) - 1) != 0)
+ return FALSE;
+
+ return TRUE;
+}
+
+}
+
+#endif
+
Status KinitContext::DoRenewal() {
krb5_cc_cursor cursor;
@@ -267,7 +295,7 @@ Status KinitContext::DoRenewal() {
nullptr /* TKT
service name */,
opts_),
"Reacquire error: unable to login from
keytab");
-#ifdef __APPLE__
+#ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_OUT_CCACHE
// Heimdal krb5 doesn't have the
'krb5_get_init_creds_opt_set_out_ccache' option,
// so use this alternate route.
KRB5_RETURN_NOT_OK_PREPEND(krb5_cc_initialize(g_krb5_ctx, ccache_,
principal_),
@@ -320,7 +348,7 @@ Status KinitContext::Kinit(const string& keytab_path, const
string& principal) {
KRB5_RETURN_NOT_OK_PREPEND(krb5_get_init_creds_opt_alloc(g_krb5_ctx, &opts_),
"unable to allocate get_init_creds_opt struct");
-#ifndef __APPLE__
+#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_OUT_CCACHE
KRB5_RETURN_NOT_OK_PREPEND(krb5_get_init_creds_opt_set_out_ccache(g_krb5_ctx,
opts_, ccache_),
"unable to set init_creds options");
#endif
@@ -335,7 +363,7 @@ Status KinitContext::Kinit(const string& keytab_path, const
string& principal) {
ticket_end_timestamp_ = creds.times.endtime;
-#ifdef __APPLE__
+#ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_OUT_CCACHE
// Heimdal krb5 doesn't have the 'krb5_get_init_creds_opt_set_out_ccache'
option,
// so use this alternate route.
KRB5_RETURN_NOT_OK_PREPEND(krb5_cc_initialize(g_krb5_ctx, ccache_,
principal_),
http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/f51c4435/be/src/kudu/security/token_verifier.cc
----------------------------------------------------------------------
diff --git a/be/src/kudu/security/token_verifier.cc
b/be/src/kudu/security/token_verifier.cc
index 8f3d5ad..dbb9b33 100644
--- a/be/src/kudu/security/token_verifier.cc
+++ b/be/src/kudu/security/token_verifier.cc
@@ -157,8 +157,9 @@ const char* VerificationResultToString(VerificationResult
r) {
case security::VerificationResult::INCOMPATIBLE_FEATURE:
return "authentication token uses incompatible feature";
}
+ DCHECK(false);
+ return nullptr;
}
} // namespace security
} // namespace kudu
-
http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/f51c4435/bin/bootstrap_build.sh
----------------------------------------------------------------------
diff --git a/bin/bootstrap_build.sh b/bin/bootstrap_build.sh
index fa3dbfd..9c53ed8 100755
--- a/bin/bootstrap_build.sh
+++ b/bin/bootstrap_build.sh
@@ -32,7 +32,7 @@ set -euxo pipefail
# Install dependencies:
sudo apt-get update
sudo apt-get --yes install g++ gcc git libsasl2-dev libssl-dev make maven
openjdk-7-jdk \
- python-dev python-setuptools libffi-dev
+ python-dev python-setuptools libffi-dev libkrb5-dev
export JAVA_HOME=/usr/lib/jvm/java-7-openjdk-amd64/
./buildall.sh -notests -so
http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/f51c4435/cmake_modules/FindKerberos.cmake
----------------------------------------------------------------------
diff --git a/cmake_modules/FindKerberos.cmake b/cmake_modules/FindKerberos.cmake
index 197a30c..b435291 100644
--- a/cmake_modules/FindKerberos.cmake
+++ b/cmake_modules/FindKerberos.cmake
@@ -21,8 +21,13 @@
# KERBEROS_LIBRARY - List of libraries when using krb5.
# KERBEROS_FOUND - True if krb5 found.
-find_path(KERBEROS_INCLUDE_DIR krb5.h)
-find_library(KERBEROS_LIBRARY NAMES krb5)
+set(_KRB5_SEARCH_DIRS)
+if (KRB5_ROOT)
+ set(_KRB5_SEARCH_DIRS PATHS ${KRB5_ROOT} NO_DEFAULT_PATH)
+endif()
+
+find_path(KERBEROS_INCLUDE_DIR krb5.h ${_KRB5_SEARCH_DIRS} PATH_SUFFIXES
include)
+find_library(KERBEROS_LIBRARY NAMES krb5 ${_KRB5_SEARCH_DIRS} PATH_SUFFIXES
lib)
# handle the QUIETLY and REQUIRED arguments and set KERBEROS_FOUND to TRUE if
# all listed variables are TRUE
