Repository: incubator-impala Updated Branches: refs/heads/master 0d5fcc866 -> e06268e82
Allow configuration of values passed into kerberos env vars We always used hardcoded constants for the following kerberos environment variables: KRB5CCNAME and KRB5RCACHETYPE. This patch allows for the configuration of these variables by taking arguments to InitKerberosForServer(). Callsites within Kudu have not been changed as all the parameters have default values. The motivation for this patch is that, Impala as a user of the KuduRPC and Kudu security libraries, needs to have a file based credential cache since the kinit happens on the C++ side and this cache needs to be read by the Java side too. Hence, we cannot have it in memory. Also, Impala still requires replay protection, since some Impala services use Thrift which lacks the nonce mechanism that KRPC uses for replay protection. Change-Id: Iab4ce72c04ec4056dc89fb4c1c540a6fdaca4404 Reviewed-on: http://gerrit.cloudera.org:8080/8247 Reviewed-by: Todd Lipcon <[email protected]> Tested-by: Todd Lipcon <[email protected]> Reviewed-on: http://gerrit.cloudera.org:8080/8308 Reviewed-by: Michael Ho <[email protected]> Tested-by: Impala Public Jenkins Project: http://git-wip-us.apache.org/repos/asf/incubator-impala/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-impala/commit/b95732b8 Tree: http://git-wip-us.apache.org/repos/asf/incubator-impala/tree/b95732b8 Diff: http://git-wip-us.apache.org/repos/asf/incubator-impala/diff/b95732b8 Branch: refs/heads/master Commit: b95732b80c998996adb8d7956ab8b71e4ca41540 Parents: 0d5fcc8 Author: Sailesh Mukil <[email protected]> Authored: Mon Oct 9 23:20:39 2017 -0700 Committer: Impala Public Jenkins <[email protected]> Committed: Wed Oct 18 20:26:41 2017 +0000 ---------------------------------------------------------------------- be/src/kudu/security/init.cc | 20 +++++++++----------- be/src/kudu/security/init.h | 11 ++++++++++- 2 files changed, 19 insertions(+), 12 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/b95732b8/be/src/kudu/security/init.cc ---------------------------------------------------------------------- diff --git a/be/src/kudu/security/init.cc b/be/src/kudu/security/init.cc index 9678373..9c4bdda 100644 --- a/be/src/kudu/security/init.cc +++ b/be/src/kudu/security/init.cc @@ -450,21 +450,19 @@ boost::optional<string> GetLoggedInUsernameFromKeytab() { return g_kinit_ctx->username_str(); } -Status InitKerberosForServer() { +Status InitKerberosForServer(const std::string& krb5ccname, bool disable_krb5_replay_cache) { if (FLAGS_keytab_file.empty()) return Status::OK(); - // Have the daemons use an in-memory ticket cache, so they don't accidentally - // pick up credentials from test cases or any other daemon. - // TODO(todd): extract these krb5 env vars into some constants since they're - // typo-prone. - setenv("KRB5CCNAME", "MEMORY:kudu", 1); + setenv("KRB5CCNAME", krb5ccname.c_str(), 1); setenv("KRB5_KTNAME", FLAGS_keytab_file.c_str(), 1); - // KUDU-1897: disable the Kerberos replay cache. The KRPC protocol includes a - // per-connection server-generated nonce to protect against replay attacks - // when authenticating via Kerberos. The replay cache has many performance and - // implementation issues. - setenv("KRB5RCACHETYPE", "none", 1); + if (disable_krb5_replay_cache) { + // KUDU-1897: disable the Kerberos replay cache. The KRPC protocol includes a + // per-connection server-generated nonce to protect against replay attacks + // when authenticating via Kerberos. The replay cache has many performance and + // implementation issues. + setenv("KRB5RCACHETYPE", "none", 1); + } g_kinit_ctx = new KinitContext(); string principal; http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/b95732b8/be/src/kudu/security/init.h ---------------------------------------------------------------------- diff --git a/be/src/kudu/security/init.h b/be/src/kudu/security/init.h index 60a5a5e..c6ee264 100644 --- a/be/src/kudu/security/init.h +++ b/be/src/kudu/security/init.h @@ -27,9 +27,18 @@ class Status; namespace security { +// The default kerberos credential cache name. +// Have the daemons use an in-memory ticket cache, so they don't accidentally +// pick up credentials from test cases or any other daemon. +static const std::string kKrb5CCName = "MEMORY:kudu"; + // Initializes Kerberos for a server. In particular, this processes // the '--keytab_file' command line flag. -Status InitKerberosForServer(); +// 'krb5ccname' is passed into the KRB5CCNAME env var. +// 'disable_krb5_replay_cache' if set to true, disables the kerberos replay cache by setting +// the KRB5RCACHETYPE env var to "none". +Status InitKerberosForServer(const std::string& krb5ccname = kKrb5CCName, + bool disable_krb5_replay_cache = true); // Returns the process lock 'kerberos_reinit_lock' // This lock is taken in write mode while the ticket is being reacquired, and
