[
https://issues.apache.org/jira/browse/IMPALA-7585?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16636192#comment-16636192
]
ASF subversion and git services commented on IMPALA-7585:
---------------------------------------------------------
Commit e1d1b4f14f1a2d8cab378b419eed3c4e4590a311 in impala's branch
refs/heads/master from Michael Ho
[ https://git-wip-us.apache.org/repos/asf?p=impala.git;h=e1d1b4f ]
IMPALA-7585: Always set user credentials after creating RPC proxy
kudu::rpc::Proxy() ctor may fail in GetLoggedInUser() for various reasons
(e.g. missing certain libraries). This resulted in an empty username being
used in kudu::rpc::ConnectionId. With plaintext SASL (e.g. in an insecure
Impala cluster), this may result in the following error during connection
negotiation:
Not authorized: Client connection negotiation failed: client connection to
127.0.0.1:27000: SASL(-1): generic failure: All-whitespace username.
In Impala, we don't consider failing GetLoggedInUser() a fatal error.
This change fixes the issue above by always explicitly setting the
username after creating the proxy. The username is "impala". Please
note that this username is not really used anywhere for authorization
for RPC services. Authorization is only done when authentication is
enabled with Kerberos. With Kerberos enabled, the username is derived
from the Kerberos principal instead of the user credentials set in
the ConnectionId. It's there mostly to satisfy the SASL plaintext case.
rpc-mgr-test has been updated to test for this string when Kerberos is
disabled.
Testing done: core test; rpc-mgr-test; rpc-mgr-kerberized-test
Change-Id: I75059f55bcdb8f95916610100cad4d8280daf3f6
Reviewed-on: http://gerrit.cloudera.org:8080/11477
Reviewed-by: Impala Public Jenkins <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>
> Always set user credentials after creating a KRPC proxy
> -------------------------------------------------------
>
> Key: IMPALA-7585
> URL: https://issues.apache.org/jira/browse/IMPALA-7585
> Project: IMPALA
> Issue Type: Bug
> Components: Distributed Exec
> Affects Versions: Impala 3.0, Impala 2.12.0
> Reporter: Michael Ho
> Assignee: Michael Ho
> Priority: Major
>
> {{kudu::rpc::Proxy}} ctor may fail in {{GetLoggedInUser()}} for various
> reason:
> {noformat}
> Error calling getpwuid_r(): No such file or directory (error 2).
> {noformat}
> This resulted in an empty user name being used in
> {{kudu::rpc::ConnectionId}}. With plaintext SASL (e.g. in an insecure Impala
> cluster), this may result in the following error:
> {noformat}
> Not authorized: Client connection negotiation failed: client connection to
> 127.0.0.1:27000: SASL(-1): generic failure: All-whitespace username.
> {noformat}
> While one can argue that Kudu should fall back to some default username (e.g.
> "cpp-client") when {{GetLoggedInUserName()}} fails, it may have non-trivial
> consequence (e.g. generating an authn token with some random username on one
> machine while using the real user name on another machine). Therefore, it's
> best for Impala to explicitly set the user credentials
> (impala/<some-hostname>) after creating the proxy.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
