[jira] [Commented] (IMPALA-9988) Integrate ldap filters and proxy users

[ASF subversion and git services (Jira)]

    [ 
https://issues.apache.org/jira/browse/IMPALA-9988?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17177442#comment-17177442
 ] 

ASF subversion and git services commented on IMPALA-9988:
---------------------------------------------------------

Commit e63bf9d6c1b2a67f68057f2b8bf077aa7be27256 in impala's branch 
refs/heads/master from Thomas Tauber-Marshall
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=e63bf9d ]

IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user

This patch fixes the integration between LDAP filters and proxy
users by ensuring that the 'impala.doas.user' HS2 config option is
considered when applying filters. This requires deferring checking the
filters until the OpenSession() call.

This patch also introduces new flags --ldap_bind_dn and
--ldap_bind_password_cmd which must be specified in order to use LDAP
filters, unless the LDAP server is set up to allow anonymous binds.

It also uses some gflag utilities from Kudu to tag
--ldap_bind_password_cmd as sensitive and redact it on the webui and
in logging in order to increase security in case a user specifies it
as 'echo <password>'

These config options are modeled after equivalent options in Hue:
https://github.com/cloudera/hue/blob/master/desktop/conf.dist/hue.ini#L425

Testing:
- Added a test that uses the 'impala.doas.user' config with LDAP
  filters.

Change-Id: I9ca8e1a0466288225efbe05b2d0068b8241df070
Reviewed-on: http://gerrit.cloudera.org:8080/16252
Reviewed-by: Impala Public Jenkins <impala-public-jenk...@cloudera.com>
Tested-by: Impala Public Jenkins <impala-public-jenk...@cloudera.com>


> Integrate ldap filters and proxy users
> --------------------------------------
>
>                 Key: IMPALA-9988
>                 URL: https://issues.apache.org/jira/browse/IMPALA-9988
>             Project: IMPALA
>          Issue Type: Task
>          Components: Security
>            Reporter: Thomas Tauber-Marshall
>            Assignee: Thomas Tauber-Marshall
>            Priority: Major
>             Fix For: Impala 4.0
>
>
> IMPALA-2563 recently added support for specifying ldap group and user filters.
> As currently implemented, if an authorized proxy user connects, its the proxy 
> user that the filters are applied to. We should fix this so that the filters 
> are instead applied to the delegated user.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org