Repository: kudu
Updated Branches:
refs/heads/master 368f4f734 -> 5fe0787f6
Fix security tests on macOS
This fixes a few issues:
* The macOS Heimdal Kerberos implementation stubs out
krb5_aname_to_localname. Workaround is to grab the username from the
principal instead of doing the full mapping, this should be good
enough for now.
* The curl library was linking against the system OpenSSL, to fix this
I rejiggered how we pass OpenSSL include and link flags to the
thirdparty dependencies which need them. In my opinion it's a little
bit cleaner now.
* Another test was failing because of Heimdal caching the
non-existence of credentials, the test has been disabled, since
there is no known workaround for this (it happens in
negotiation-test.cc as well).
Change-Id: I1ff10fa47cb7b8ec6f927619e1420fa5e81a7f20
Reviewed-on: http://gerrit.cloudera.org:8080/6176
Reviewed-by: Adar Dembo <[email protected]>
Tested-by: Kudu Jenkins
Project: http://git-wip-us.apache.org/repos/asf/kudu/repo
Commit: http://git-wip-us.apache.org/repos/asf/kudu/commit/5fe0787f
Tree: http://git-wip-us.apache.org/repos/asf/kudu/tree/5fe0787f
Diff: http://git-wip-us.apache.org/repos/asf/kudu/diff/5fe0787f
Branch: refs/heads/master
Commit: 5fe0787f62939c96c416dc00f5f447843b1f0ea6
Parents: 368f4f7
Author: Dan Burkert <[email protected]>
Authored: Mon Feb 27 17:30:09 2017 -0800
Committer: Dan Burkert <[email protected]>
Committed: Wed Mar 1 01:44:18 2017 +0000
----------------------------------------------------------------------
src/kudu/integration-tests/security-itest.cc | 5 ++++
src/kudu/security/init.cc | 29 +++++++++++++++++++-
src/kudu/security/test/mini_kdc-test.cc | 4 +++
thirdparty/build-definitions.sh | 33 +++--------------------
thirdparty/build-thirdparty.sh | 24 +++++++++++++++--
5 files changed, 62 insertions(+), 33 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/kudu/blob/5fe0787f/src/kudu/integration-tests/security-itest.cc
----------------------------------------------------------------------
diff --git a/src/kudu/integration-tests/security-itest.cc
b/src/kudu/integration-tests/security-itest.cc
index 71b0d28..abfdaf5 100644
--- a/src/kudu/integration-tests/security-itest.cc
+++ b/src/kudu/integration-tests/security-itest.cc
@@ -139,7 +139,11 @@ TEST_F(SecurityITest, SmokeTestAsAuthorizedUser) {
s.ToString());
}
+#ifndef __APPLE__
// Test trying to access the cluster with no Kerberos credentials at all.
+// This test is ignored on macOS because the system Kerberos implementation
+// (Heimdal) caches the non-existence of client credentials, which causes
+// subsequent tests to fail.
TEST_F(SecurityITest, TestNoKerberosCredentials) {
StartCluster();
ASSERT_OK(cluster_->kdc()->Kdestroy());
@@ -154,6 +158,7 @@ TEST_F(SecurityITest, TestNoKerberosCredentials) {
"to .*: (No Kerberos credentials available|"
"Credentials cache file.*not found)");
}
+#endif
// Test cluster access by a user who is not authorized as a client.
TEST_F(SecurityITest, TestUnauthorizedClientKerberosCredentials) {
http://git-wip-us.apache.org/repos/asf/kudu/blob/5fe0787f/src/kudu/security/init.cc
----------------------------------------------------------------------
diff --git a/src/kudu/security/init.cc b/src/kudu/security/init.cc
index 2e7d940..f235eed 100644
--- a/src/kudu/security/init.cc
+++ b/src/kudu/security/init.cc
@@ -365,6 +365,28 @@ Status GetConfiguredPrincipal(string* principal) {
return Status::OK();
}
+// macOS's Heimdal library has a no-op implementation of
+// krb5_aname_to_localname, so instead this does a crude approximation by
+// grabbing the username from the principal.
+#ifdef __APPLE__
+// Grabs the username from a krb5 principal, and writes it to the provided
+// buffer with a null terminator.
+krb5_error_code principal_to_username(krb5_const_principal princ,
+ int len,
+ char* buf) {
+ if (princ->length == 0) {
+ return KRB5_LNAME_NOTRANS;
+ }
+ auto username = princ->data[0];
+ if (username.length + 1 > len) {
+ return KRB5_CONFIG_NOTENUFSPACE;
+ }
+ // Copy username and a trailing null byte.
+ memcpy(buf, username.data, username.length);
+ username.data[username.length + 1] = 0;
+ return 0;
+}
+#endif
} // anonymous namespace
@@ -394,7 +416,12 @@ Status MapPrincipalToLocalName(const std::string&
principal, std::string* local_
krb5_free_principal(g_krb5_ctx, princ);
});
char buf[1024];
- krb5_error_code rc = krb5_aname_to_localname(g_krb5_ctx, princ,
arraysize(buf), buf);
+ krb5_error_code rc;
+#ifndef __APPLE__
+ rc = krb5_aname_to_localname(g_krb5_ctx, princ, arraysize(buf), buf);
+#else
+ rc = principal_to_username(princ, arraysize(buf), buf);
+#endif
if (rc == KRB5_LNAME_NOTRANS) {
// No name mapping specified. We fall back to simply taking the first
component
// of the principal, for compatibility with the default behavior of Hadoop.
http://git-wip-us.apache.org/repos/asf/kudu/blob/5fe0787f/src/kudu/security/test/mini_kdc-test.cc
----------------------------------------------------------------------
diff --git a/src/kudu/security/test/mini_kdc-test.cc
b/src/kudu/security/test/mini_kdc-test.cc
index e780edc..cf898ab 100644
--- a/src/kudu/security/test/mini_kdc-test.cc
+++ b/src/kudu/security/test/mini_kdc-test.cc
@@ -94,8 +94,12 @@ TEST_F(MiniKdcTest, TestBasicOperation) {
ASSERT_OK(security::MapPrincipalToLocalName("foo/[email protected]",
&local_user));
ASSERT_EQ("foo", local_user);
+ // The Heimdal implementation in macOS does not correctly implement auth to
+ // local mapping (see init.cc).
+#ifndef __APPLE__
ASSERT_OK(security::MapPrincipalToLocalName("[email protected]",
&local_user));
ASSERT_EQ("other-foo", local_user);
+#endif
}
}
http://git-wip-us.apache.org/repos/asf/kudu/blob/5fe0787f/thirdparty/build-definitions.sh
----------------------------------------------------------------------
diff --git a/thirdparty/build-definitions.sh b/thirdparty/build-definitions.sh
index d33739b..b45df3a 100644
--- a/thirdparty/build-definitions.sh
+++ b/thirdparty/build-definitions.sh
@@ -473,29 +473,12 @@ build_rapidjson() {
}
build_squeasel() {
- # Determine location of OpenSSL header files if building on OS X.
- # On OS X 10.11.x and newer, OpenSSL headers are not in /usr/include
- # anymore.
- if [ -n "$OS_OSX" ]; then
- local openssl_cflags=
- if openssl_cflags=$(pkg-config --cflags openssl) ; then
- # Using pkg-config works if OpenSSL is built via MacPorts.
- EXTRA_CFLAGS="$EXTRA_CFLAGS $openssl_cflags"
- fi
- if [ -z $openssl_cflags ]; then
- # If OpenSSL is built via brew, pkg-config does not report on cflags.
- local brew_openssl_include_dir=/usr/local/opt/openssl/include
- if [ -d $brew_openssl_include_dir ]; then
- EXTRA_CFLAGS="$EXTRA_CFLAGS -I$brew_openssl_include_dir"
- fi
- fi
- fi
# Mongoose's Makefile builds a standalone web server, whereas we just want
# a static lib
SQUEASEL_BDIR=$TP_BUILD_DIR/$SQUEASEL_NAME$MODE_SUFFIX
mkdir -p $SQUEASEL_BDIR
pushd $SQUEASEL_BDIR
- ${CC:-gcc} $EXTRA_CFLAGS -std=c99 -O3 -DNDEBUG -fPIC -c
"$SQUEASEL_SOURCE/squeasel.c"
+ ${CC:-gcc} $EXTRA_CFLAGS $OPENSSL_CFLAGS $OPENSSL_LDFLAGS -std=c99 -O3
-DNDEBUG -fPIC -c "$SQUEASEL_SOURCE/squeasel.c"
ar rs libsqueasel.a squeasel.o
cp libsqueasel.a $PREFIX/lib/
cp $SQUEASEL_SOURCE/squeasel.h $PREFIX/include/
@@ -509,21 +492,11 @@ build_curl() {
mkdir -p $CURL_BDIR
pushd $CURL_BDIR
- # If the el6 workaround openssl is present, we must build curl against that
- # version of openssl, not the system version, because at test runtime we use
- # the workaround openssl.
- local CURL_EXTRA_CPPFLAGS=""
- local CURL_EXTRA_LDFLAGS=""
- if [ -d "$OPENSSL_WORKAROUND_DIR" ]; then
- CURL_EXTRA_CPPFLAGS="-I$OPENSSL_WORKAROUND_DIR/usr/include"
- CURL_EXTRA_LDFLAGS="-L$OPENSSL_WORKAROUND_DIR/usr/lib64
-Wl,-rpath,$OPENSSL_WORKAROUND_DIR/usr/lib64"
- fi
-
# Note: curl shows a message asking for CPPFLAGS to be used for include
# directories, not CFLAGS.
CFLAGS="$EXTRA_CFLAGS" \
- CPPFLAGS="$CURL_EXTRA_CPPFLAGS" \
- LDFLAGS="$EXTRA_LDFLAGS $CURL_EXTRA_LDFLAGS" \
+ CPPFLAGS="$EXTRA_CPPFLAGS $OPENSSL_CFLAGS" \
+ LDFLAGS="$EXTRA_LDFLAGS $OPENSSL_LDFLAGS" \
LIBS="$EXTRA_LIBS" \
$CURL_SOURCE/configure \
--prefix=$PREFIX \
http://git-wip-us.apache.org/repos/asf/kudu/blob/5fe0787f/thirdparty/build-thirdparty.sh
----------------------------------------------------------------------
diff --git a/thirdparty/build-thirdparty.sh b/thirdparty/build-thirdparty.sh
index 04b52a5..fe36f5d 100755
--- a/thirdparty/build-thirdparty.sh
+++ b/thirdparty/build-thirdparty.sh
@@ -142,6 +142,14 @@ if [[ "$OSTYPE" =~ ^linux ]]; then
OS_LINUX=1
DYLIB_SUFFIX="so"
PARALLEL=${PARALLEL:-$(grep -c processor /proc/cpuinfo)}
+
+ if [ -d "$OPENSSL_WORKAROUND_DIR" ]; then
+ # If the el6 workaround openssl is present, we must build dependencies
+ # against that version of openssl, not the system version, because at test
+ # runtime we use the workaround openssl.
+ OPENSSL_CFLAGS="-I$OPENSSL_WORKAROUND_DIR/usr/include"
+ OPENSSL_LDFLAGS="-L$OPENSSL_WORKAROUND_DIR/usr/lib64
-Wl,-rpath,$OPENSSL_WORKAROUND_DIR/usr/lib64"
+ fi
elif [[ "$OSTYPE" == "darwin"* ]]; then
OS_OSX=1
DYLIB_SUFFIX="dylib"
@@ -154,6 +162,18 @@ elif [[ "$OSTYPE" == "darwin"* ]]; then
EXTRA_LDFLAGS="$EXTRA_LDFLAGS -stdlib=libc++"
EXTRA_LIBS="$EXTRA_LIBS -lc++ -lc++abi"
+ # Build against the Macports or Homebrew OpenSSL versions, in order to match
+ # the Kudu build.
+ OPENSSL_CFLAGS=$(pkg-config --cflags openssl)
+ if [ -z $OPENSSL_CFLAGS ]; then
+ # If OpenSSL is built via Homebrew, pkg-config does not report on cflags.
+ homebrew_openssl_dir=/usr/local/opt/openssl
+ if [ -d $homebrew_openssl_dir ]; then
+ OPENSSL_CFLAGS="-I$homebrew_openssl_dir/include"
+ OPENSSL_LDFLAGS="-L$homebrew_openssl_dir/lib"
+ fi
+ fi
+
# TSAN doesn't work on macOS. If it was explicitly asked for, respond with an
# error. Otherwise, just disable it silently.
if [ -n "$F_TSAN" ]; then
@@ -296,11 +316,11 @@ fi
restore_env
-# If we're on MacOs best to exit here, otherwise single dependency builds will
try to
+# If we're on macOS best to exit here, otherwise single dependency builds will
try to
# build the tsan version of the dependency (and fail).
if [[ "$OSTYPE" == "darwin"* ]]; then
- echo "Not building tsan dependencies on MacOs."
+ echo "Not building tsan dependencies on macOS."
finish
fi
