security: only lookup hostname if _HOST substitution is required The Kerberos principal configuration uses the special token '_HOST' to indicate that the FQDN of the host should be specified. Previously we would always lookup the FQDN even if the substitution was not required, which might mean that startup would fail if there was no FQDN available, even if no _HOST substitution was required.
Now, we only lookup the FQDN if FLAGS_principal contains the substitution token. This provides the possibility of a workaround of explicit principal configuration on machines with no FQDN. Change-Id: I5de8647d6cf63ea70d880fa530fa289e8bae24fe Reviewed-on: http://gerrit.cloudera.org:8080/7694 Tested-by: Kudu Jenkins Reviewed-by: Alexey Serbin <[email protected]> Reviewed-on: http://gerrit.cloudera.org:8080/7894 Reviewed-by: Sailesh Mukil <[email protected]> Tested-by: Sailesh Mukil <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-impala/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-impala/commit/e7bd0ce5 Tree: http://git-wip-us.apache.org/repos/asf/incubator-impala/tree/e7bd0ce5 Diff: http://git-wip-us.apache.org/repos/asf/incubator-impala/diff/e7bd0ce5 Branch: refs/heads/master Commit: e7bd0ce5b9f2d44bc0d429672924d19a0142c2b1 Parents: d1239a9 Author: Todd Lipcon <[email protected]> Authored: Wed Aug 16 19:12:44 2017 -0700 Committer: Sailesh Mukil <[email protected]> Committed: Fri Sep 1 03:09:25 2017 +0000 ---------------------------------------------------------------------- be/src/kudu/security/init.cc | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/e7bd0ce5/be/src/kudu/security/init.cc ---------------------------------------------------------------------- diff --git a/be/src/kudu/security/init.cc b/be/src/kudu/security/init.cc index c1e94ed..aff20e9 100644 --- a/be/src/kudu/security/init.cc +++ b/be/src/kudu/security/init.cc @@ -390,14 +390,17 @@ Status KinitContext::Kinit(const string& keytab_path, const string& principal) { Status GetConfiguredPrincipal(string* principal) { string p = FLAGS_principal; - string hostname; - // Try to fill in either the FQDN or hostname. - if (!GetFQDN(&hostname).ok()) { - RETURN_NOT_OK(GetHostname(&hostname)); + const auto& kHostToken = "_HOST"; + if (p.find(kHostToken) != string::npos) { + string hostname; + // Try to fill in either the FQDN or hostname. + if (!GetFQDN(&hostname).ok()) { + RETURN_NOT_OK(GetHostname(&hostname)); + } + // Hosts in principal names are canonicalized to lower-case. + std::transform(hostname.begin(), hostname.end(), hostname.begin(), tolower); + GlobalReplaceSubstring(kHostToken, hostname, &p); } - // Hosts in principal names are canonicalized to lower-case. - std::transform(hostname.begin(), hostname.end(), hostname.begin(), tolower); - GlobalReplaceSubstring("_HOST", hostname, &p); *principal = p; return Status::OK(); }
