[ https://issues.apache.org/jira/browse/IMPALA-8154?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16764025#comment-16764025 ]
ASF subversion and git services commented on IMPALA-8154: --------------------------------------------------------- Commit bf96eb30a2b96a945fc7c10716252ea37dc665f5 in impala's branch refs/heads/master from Michael Ho [ https://gitbox.apache.org/repos/asf?p=impala.git;h=bf96eb3 ] IMPALA-8154: Disable Kerberos auth_to_local setting Before KRPC, the local name mapping was done from the principal name entirely. With KRPC, Impala started to use the system auth_to_local rules as the Kudu security code has "--use_system_auth_to_local=true" by default. This can cause regression if local auth is configured in the krb5.conf (e.g. with SSSD with AD) as we started enforcing authorization based on Kerberos principal after this commit (https://github.com/apache/impala/commit/5c541b960491ba91533712144599fb3b6d99521d) This change fixes the problem by explicitly setting FLAGS_use_system_auth_to_local to false during initialization. Testing done: Enabled auth_to_local in a Kerberized cluster to map "impala/<hostname>" to foobar and verified queries still worked as expected. Change-Id: I0b0ad79b56cd5cdd3108c6f973e71a9416efbac8 Reviewed-on: http://gerrit.cloudera.org:8080/12405 Reviewed-by: Impala Public Jenkins <impala-public-jenk...@cloudera.com> Tested-by: Impala Public Jenkins <impala-public-jenk...@cloudera.com> > Disable auth_to_local by default > -------------------------------- > > Key: IMPALA-8154 > URL: https://issues.apache.org/jira/browse/IMPALA-8154 > Project: IMPALA > Issue Type: Bug > Components: Distributed Exec > Affects Versions: Impala 2.12.0, Impala 3.1.0 > Reporter: Michael Ho > Assignee: Michael Ho > Priority: Major > > Before KRPC the local name mapping was done from the principal name entirely, > however when KRPC is enabled Impala starts to use the system auth_to_local > rules, "use_system_auth_to_local" is enabled by default. This can cause > regression in cases where localauth is configured in the krb5.conf. This may > cause issue for connection between Impalad after [this > commit|https://github.com/apache/impala/commit/5c541b960491ba91533712144599fb3b6d99521d] > The fix is to disable use_system_auth_to_local by default. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org For additional commands, e-mail: issues-all-h...@impala.apache.org