Bharath Vissapragada has posted comments on this change. Change subject: IMPALA-2660: Respect auth_to_local configs from hdfs configs ......................................................................
Patch Set 2: Patch-set2 gets rid of RuntimeEnv dependency for User class for tests. This is done to prevent dependency of libfesupport.so. Additionally I did some manual testing by building a parcel and deploying it on a cluster. Manual tests cover two scenarios (1) Single Realm and (2) Cross realm. Here is a screengrab from the test runs. This parcel is deployed on http://imp2660-imp-1.vpc.cloudera.com:7180/ if someone wants to play with it. (1) Single realm kerberos. Auth_to_local configuration in CM RULE:[1:$1@$0](.*@VPC.CLOUDERA.COM)s/(.*)@VPC.CLOUDERA.COM/$1test/g RULE:[1:$1] RULE:[2:$1] DEFAULT // Create a “test_role” using admin key tab. [root@imp2660-imp-2 64-impala-IMPALAD]# kinit -kt impala.keytab impala/[email protected] [root@imp2660-imp-2 64-impala-IMPALAD]# impala-shell [imp2660-imp-2.vpc.cloudera.com:21000] > create role test_role; Query: create role test_role // GRANT ALL on default db to “test_role” [imp2660-imp-2.vpc.cloudera.com:21000] > grant all on database default to role test_role; // GRANT test_role to user “test” [imp2660-imp-2.vpc.cloudera.com:21000] > grant role test_role to group test; Query: grant role test_role to group test // kinit as test and try “show tables”. It is expected to fail because the above auth_to_local rule converts the user to testiest; [root@imp2660-imp-2 64-impala-IMPALAD]# kinit test [imp2660-imp-2.vpc.cloudera.com:21000] > show tables; Query: show tables ERROR: AuthorizationException: User '[email protected]' does not have privileges to access: default.* // Now grant the role test_role to user testiest. (Also add the corresponding groups locally in OS. [imp2660-imp-2.vpc.cloudera.com:21000] > grant role test_role to group testtest; Query: grant role test_role to group testtest [imp2660-imp-2.vpc.cloudera.com:21000] > show tables; Query: show tables +-----------+ | name | +-----------+ | customers | | sample_07 | | sample_08 | | web_logs | +-----------+ Fetched 4 row(s) in 0.05s (2) Cross realm testing. ==================== We use the following auth_to_local config in CM. (This forces the users from REALM VPC.CLOUDERA.COM and ideally shouldn’t match users from any other realm). RULE:[1:$1@$0](.*@VPC.CLOUDERA.COM)s/(.*)@VPC.CLOUDERA.COM/$1/g Configured cross realm trust between my cluster and nightly-kereberized-*.gce.cloudera.com. krb5.conf looks something like this. Its a trust between the realms GCE.CLOUDERA.COM and VPC.CLOUDERA.COM. [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] renew_lifetime = 30m # default is 0 default_realm = GCE.CLOUDERA.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 15m forwardable = yes allow_weak_crypto = true [realms] GCE.CLOUDERA.COM = { kdc = nightly-kerberized-1.gce.cloudera.com:88 admin_server = nightly-kerberized-1.gce.cloudera.com:749 default_domain = gce.cloudera.com } VPC.CLOUDERA.COM = { kdc = imp2660-imp-1.vpc.cloudera.com:88 admin_server = imp2660-imp-1.vpc.cloudera.com:749 default_domain = vpc.cloudera.com } [domain_realm] .gce.cloudera.com = GCE.CLOUDERA.COM gce.cloudera.com = GCE.CLOUDERA.COM .vpc.cloudera.com = VPC.CLOUDERA.COM vpc.cloudera.com = VPC.CLOUDERA.COM // create a user test in realm GCE.CLOUDERA.COM [root@nightly-kerberized-1 ~]# sudo kadmin.local Authenticating as principal test/[email protected] with password. kadmin.local: addprinc test WARNING: no policy specified for [email protected]; defaulting to no policy // kinit as [email protected] and connect to an impalad in realm VPC.CLOUDERA.COM, if the cross realm is setup properly, the auth should go through, // Try show tables command. It should fail because no auth_to_local rules apply for this username. [root@nightly-kerberized-1 ~]# kinit test Password for [email protected]: [root@nightly-kerberized-1 ~]# impala-shell -i imp2660-imp-2.vpc.cloudera.com /usr/bin/impala-shell: line 43: warning: setlocale: LC_CTYPE: cannot change locale (UTF-8): No such file or directory /usr/bin/impala-shell: line 43: warning: setlocale: LC_CTYPE: cannot change locale (UTF-8): No such file or directory Starting Impala Shell without Kerberos authentication Error connecting: TTransportException, TSocket read 0 bytes Kerberos ticket found in the credentials cache, retrying the connection with a secure transport. Connected to imp2660-imp-2.vpc.cloudera.com:21000 Server version: impalad version 2.6.0-cdh5-INTERNAL DEBUG (build 108597d2534ffd350230604c6351766491af1bd7) *********************************************************************************** Welcome to the Impala shell. Copyright (c) 2015 Cloudera, Inc. All rights reserved. (Impala Shell v2.6.0-cdh5-INTERNAL (d4d0c59) built on Mon Apr 18 10:16:43 PDT 2016) To see live updates on a query's progress, run 'set LIVE_SUMMARY=1;'. *********************************************************************************** [imp2660-imp-2.vpc.cloudera.com:21000] > show tables; Query: show tables ERROR: IllegalStateException: No rules applied to [email protected] Now we add the auth_to_local configs for the new realm to include rules for the realm GCE.CLOUDERA.COM RULE:[1:$1@$0](.*@VPC.CLOUDERA.COM)s/(.*)@VPC.CLOUDERA.COM/$1/g RULE:[1:$1@$0](.*@\QGCE.CLOUDERA.COM\E$)s/@\QGCE.CLOUDERA.COM\E$// RULE:[2:$1@$0](.*@\QGCE.CLOUDERA.COM\E$)s/@\QGCE.CLOUDERA.COM\E$// DEFAULT Now try show tables and it should work. [imp2660-imp-2.vpc.cloudera.com:21000] > show tables; Query: show tables +-----------+ | name | +-----------+ | customers | | sample_07 | | sample_08 | | web_logs | +-----------+ -- To view, visit http://gerrit.cloudera.org:8080/2800 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: I76485b83c14ba26f6fce66e5f83e8014667829e0 Gerrit-PatchSet: 2 Gerrit-Project: Impala Gerrit-Branch: cdh5-trunk Gerrit-Owner: Bharath Vissapragada <[email protected]> Gerrit-Reviewer: Bharath Vissapragada <[email protected]> Gerrit-HasComments: No
