[
https://issues.apache.org/jira/browse/IMPALA-6859?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16665757#comment-16665757
]
Tim Armstrong commented on IMPALA-6859:
---------------------------------------
Fixed by
commit 5c541b960491ba91533712144599fb3b6d99521d
Author: Michael Ho <[email protected]>
Date: Thu Aug 23 00:33:16 2018 -0700
Add missing authorization in KRPC
In 2.12.0, Impala adopted Kudu RPC library for certain backened services
(TransmitData(), EndDataStream()). While the implementation uses Kerberos
for authenticating users connecting to the backend services, there is no
authorization implemented. This is a regression from the Thrift based
implementation because it registered a SASL callback (SaslAuthorizeInternal)
to be invoked during the connection negotiation. With this regression,
an unauthorized but authenticated user may invoke RPC calls to Impala
backend
services.
This change fixes the issue above by overriding the default authorization
method
for the DataStreamService. The authorization method will only let
authenticated
principal which matches FLAGS_principal / FLAGS_be_principal to access the
service.
Also added a new startup flag --krb5_ccname to allow users to customize the
locations
of the Kerberos credentials cache.
Testing done:
1. Added a new test case in rpc-mgr-kerberized-test.cc to confirm an
unauthorized
user is not allowed to access the service.
2. Ran some queries in a Kerberos enabled cluster to make sure there is no
error.
3. Exhaustive builds.
Thanks to Todd Lipcon for pointing out the problem and his guidance on the
fix.
Change-Id: I2f82dee5e721f2ed23e75fd91abbc6ab7addd4c5
Reviewed-on: http://gerrit.cloudera.org:8080/11331
Reviewed-by: Impala Public Jenkins <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>
> De-templatize RpcMgrTestBase
> ----------------------------
>
> Key: IMPALA-6859
> URL: https://issues.apache.org/jira/browse/IMPALA-6859
> Project: IMPALA
> Issue Type: Task
> Components: Backend
> Affects Versions: Impala 3.0
> Reporter: Sailesh Mukil
> Assignee: Michael Ho
> Priority: Major
> Labels: security, test
> Fix For: Impala 3.1.0
>
>
> Now that we've gotten rid of the old way of Kinit-ing (IMPALA-5893), we can
> detemplatize RpcMgrTestBase, since there's only one option to run the
> kerberos tests with.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
