This is an automated email from the ASF dual-hosted git repository.
aajisaka pushed a commit to branch branch-1.10
in repository https://gitbox.apache.org/repos/asf/kyuubi.git
The following commit(s) were added to refs/heads/branch-1.10 by this push:
new 44607b18cb [KYUUBI #7265] Recommend to configure
kyuubi.session.local.dir.allowlist for multi-tenant clusters
44607b18cb is described below
commit 44607b18cb6788d42a475d1b10d53c40451677ee
Author: Akira Ajisaka <[email protected]>
AuthorDate: Wed Dec 10 16:51:28 2025 +0900
[KYUUBI #7265] Recommend to configure kyuubi.session.local.dir.allowlist
for multi-tenant clusters
### Why are the changes needed?
Add recommendation to protect credentials in Kyuubi server for multi-tenant
use case.
Fixes #7265
### How was this patch tested?
New test is not added because it's only documentation and logging change.
### Was this patch authored or co-authored using generative AI tooling?
No
Closes #7269 from aajisaka/multi-tenant-doc.
Closes #7265
477ad752b [Akira Ajisaka] Fix scalastyle check
5e947b941 [Akira Ajisaka] [KYUUBI #7265] Recommend to configure
kyuubi.session.local.dir.allow.list for multi-tenant clusters.
Authored-by: Akira Ajisaka <[email protected]>
Signed-off-by: Akira Ajisaka <[email protected]>
(cherry picked from commit 4b180d4930ff7233bfb9cf1d2b910c065415ff7e)
Signed-off-by: Akira Ajisaka <[email protected]>
---
docs/security/kinit.md | 3 +++
.../main/scala/org/apache/kyuubi/server/KinitAuxiliaryService.scala | 6 ++++++
2 files changed, 9 insertions(+)
diff --git a/docs/security/kinit.md b/docs/security/kinit.md
index 0d613e0006..a5e86f7a20 100644
--- a/docs/security/kinit.md
+++ b/docs/security/kinit.md
@@ -101,6 +101,9 @@ hadoop.proxyuser.<user name in principal>.groups *
hadoop.proxyuser.<user name in principal>.hosts *
```
+Also, you must configure `kyuubi.session.local.dir.allow.list` to exclude your
Kyuubi server's keytab and any other credential from the local directories.
+Otherwise, any user who can login to the Kyuubi server via Kyuubi frontend
protocols is possible to obtain the keytab and to impersonate the users
configured by Hadoop proxy user settings.
+
## Further Readings
- [Hadoop in Secure
Mode](https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/SecureMode.html)
diff --git
a/kyuubi-server/src/main/scala/org/apache/kyuubi/server/KinitAuxiliaryService.scala
b/kyuubi-server/src/main/scala/org/apache/kyuubi/server/KinitAuxiliaryService.scala
index a8997401ac..49f903fd69 100644
---
a/kyuubi-server/src/main/scala/org/apache/kyuubi/server/KinitAuxiliaryService.scala
+++
b/kyuubi-server/src/main/scala/org/apache/kyuubi/server/KinitAuxiliaryService.scala
@@ -44,6 +44,12 @@ class KinitAuxiliaryService() extends
AbstractService("KinitAuxiliaryService") {
kinitMaxAttempts = conf.get(KyuubiConf.KINIT_MAX_ATTEMPTS)
require(keytab.nonEmpty && principal.nonEmpty, "principal or keytab is
missing")
+ if (conf.get(KyuubiConf.ENGINE_DO_AS_ENABLED) &&
+ conf.get(KyuubiConf.SESSION_LOCAL_DIR_ALLOW_LIST).isEmpty) {
+ warn(s"User impersonation is enabled, but
${KyuubiConf.SESSION_LOCAL_DIR_ALLOW_LIST}" +
+ " is unset. We strongly recommend to configure the allowed local dir
list" +
+ " to exclude any credential including keytab.")
+ }
UserGroupInformation.loginUserFromKeytab(principal.get, keytab.get)
val krb5Conf = Option(System.getProperty("java.security.krb5.conf"))
.orElse(Option(System.getenv("KRB5_CONFIG")))
