[jira] [Commented] (IMPALA-8154) Disable auth_to_local by default

ASF subversion and git services (JIRA) Fri, 08 Feb 2019 17:51:15 -0800


    [ 
https://issues.apache.org/jira/browse/IMPALA-8154?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16764025#comment-16764025
 ]


ASF subversion and git services commented on IMPALA-8154:
---------------------------------------------------------

Commit bf96eb30a2b96a945fc7c10716252ea37dc665f5 in impala's branch 
refs/heads/master from Michael Ho
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=bf96eb3 ]

IMPALA-8154: Disable Kerberos auth_to_local setting

Before KRPC, the local name mapping was done from the principal name entirely.
With KRPC, Impala started to use the system auth_to_local rules as the Kudu
security code has "--use_system_auth_to_local=true" by default. This can cause
regression if local auth is configured in the krb5.conf (e.g. with  SSSD with 
AD)
as we started enforcing authorization based on Kerberos principal after this
commit 
(https://github.com/apache/impala/commit/5c541b960491ba91533712144599fb3b6d99521d)

This change fixes the problem by explicitly setting 
FLAGS_use_system_auth_to_local
to false during initialization.

Testing done: Enabled auth_to_local in a Kerberized cluster to map 
"impala/<hostname>"
to foobar and verified queries still worked as expected.

Change-Id: I0b0ad79b56cd5cdd3108c6f973e71a9416efbac8
Reviewed-on: http://gerrit.cloudera.org:8080/12405
Reviewed-by: Impala Public Jenkins <impala-public-jenk...@cloudera.com>
Tested-by: Impala Public Jenkins <impala-public-jenk...@cloudera.com>


> Disable auth_to_local by default
> --------------------------------
>
>                 Key: IMPALA-8154
>                 URL: https://issues.apache.org/jira/browse/IMPALA-8154
>             Project: IMPALA
>          Issue Type: Bug
>          Components: Distributed Exec
>    Affects Versions: Impala 2.12.0, Impala 3.1.0
>            Reporter: Michael Ho
>            Assignee: Michael Ho
>            Priority: Major
>
> Before KRPC the local name mapping was done from the principal name entirely, 
> however when KRPC is enabled Impala starts to use the system auth_to_local 
> rules, "use_system_auth_to_local" is enabled by default. This can cause 
> regression in cases where localauth is configured in the krb5.conf. This may 
> cause issue for connection between Impalad after [this 
> commit|https://github.com/apache/impala/commit/5c541b960491ba91533712144599fb3b6d99521d]
> The fix is to disable use_system_auth_to_local by default.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org

[jira] [Commented] (IMPALA-8154) Disable auth_to_local by default

Reply via email to