Josh Elser created CALCITE-1282:
-----------------------------------
Summary: Avatica will only accept SPNEGO-authenticated clients
from the same realm as the server's principal
Key: CALCITE-1282
URL: https://issues.apache.org/jira/browse/CALCITE-1282
Project: Calcite
Issue Type: Bug
Components: avatica
Affects Versions: avatica-1.8.0
Reporter: Josh Elser
Assignee: Josh Elser
Priority: Critical
Fix For: avatica-1.9.0
When setting up the Jetty security Constraint class, Jetty treats Kerberos
realms as "roles". When configuring allowed users to Jetty with some
constraint, you have to set what roles (realms) are allowed.
Presently, Avatica just sets the realm of the server's principal as allowed,
which means that in some multi-realm KDC (or cross-domain MIT KRB+Active
Directory) setup, users from the other realm which should be allowed are denied.
Even better, Jetty's syntax for {{\*}} for allowing any role (realm) doesn't
actually work. Their logic in 9.2.15 for {{ConstraintSecurityHandler}} appears
broken:
{code}
//handle * role constraint
if (roleInfo.isAnyRole() && request.getUserPrincipal() != null &&
isUserInRole)
{
return true;
}
{code}
The above check should let users through with any role when {{isAnyRole()}}
returns true, but the final {{isUserInRole}} check requires that the role is
explicitly listed in the list of allowedRoles.
As such, we're going to need to expose an API which allows users to set a list
of allowed realms since Jetty is busted to make Kerberos authentication
actually work correctly.
Thanks to [~kliew] for bringing this one to my attention.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
