Sailesh Mukil has posted comments on this change. Change subject: IMPALA-3095: Add configurable whitelist of authorized internal principals ......................................................................
Patch Set 2: (2 comments) http://gerrit.cloudera.org:8080/#/c/2334/2/be/src/rpc/authentication.cc File be/src/rpc/authentication.cc: Line 97: C nit: formatting, space Line 414: split(whitelist, FLAGS_internal_principals_whitelist, is_any_of(",")); Since we default to hdfs, we always would get 'hdfs' here. But if the default was an empty string, the 'whitelist' vector would have an empty string entry. Then the requested user can make his name of the form "/host@realm" (where the service part is empty) and get authenticated even though that user is not a part of the whitelist. This can also happen if the customer by mistake adds a trailing or leading comma to the whitelist. We should either be extra careful and weed out empty strings here, or we should document it well that 'extra' commas are dangerous. Which do you think is better? -- To view, visit http://gerrit.cloudera.org:8080/2334 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: If828e86c99c3c398319953b1d3b33d5e3af200da Gerrit-PatchSet: 2 Gerrit-Project: Impala Gerrit-Branch: cdh5-2.5.0_5.7.0 Gerrit-Owner: Henry Robinson <[email protected]> Gerrit-Reviewer: Henry Robinson <[email protected]> Gerrit-Reviewer: Sailesh Mukil <[email protected]> Gerrit-HasComments: Yes
