[
https://issues.apache.org/jira/browse/CALCITE-1282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15322755#comment-15322755
]
Josh Elser commented on CALCITE-1282:
-------------------------------------
bq. Have you logged a bug on Jetty?
Not yet. Need to do some searching first to see if this was already addressed.
bq. is fixing Jetty an option?
Even if we could fix Jetty, the existing API provided for downstream projects
to configure the Avatica server doesn't expose the allowedRoles option (I
didn't realize it affected things for the SPNEGO auth when implementing it --
only wired it up for Basic and Digest auth). Either way, we're going to have to
add some code -- the Jetty bug is just going to require downstream users to
have to explicitly list all roles instead of just setting {{*}} which is more
of a nuisance than a limitation.
> Avatica will only accept SPNEGO-authenticated clients from the same realm as
> the server's principal
> ---------------------------------------------------------------------------------------------------
>
> Key: CALCITE-1282
> URL: https://issues.apache.org/jira/browse/CALCITE-1282
> Project: Calcite
> Issue Type: Bug
> Components: avatica
> Affects Versions: avatica-1.8.0
> Reporter: Josh Elser
> Assignee: Josh Elser
> Priority: Critical
> Fix For: avatica-1.9.0
>
>
> When setting up the Jetty security Constraint class, Jetty treats Kerberos
> realms as "roles". When configuring allowed users to Jetty with some
> constraint, you have to set what roles (realms) are allowed.
> Presently, Avatica just sets the realm of the server's principal as allowed,
> which means that in some multi-realm KDC (or cross-domain MIT KRB+Active
> Directory) setup, users from the other realm which should be allowed are
> denied.
> Even better, Jetty's syntax for {{\*}} for allowing any role (realm) doesn't
> actually work. Their logic in 9.2.15 for {{ConstraintSecurityHandler}}
> appears broken:
> {code}
> //handle * role constraint
> if (roleInfo.isAnyRole() && request.getUserPrincipal() != null &&
> isUserInRole)
> {
> return true;
> }
> {code}
> The above check should let users through with any role when {{isAnyRole()}}
> returns true, but the final {{isUserInRole}} check requires that the role is
> explicitly listed in the list of allowedRoles.
> As such, we're going to need to expose an API which allows users to set a
> list of allowed realms since Jetty is busted to make Kerberos authentication
> actually work correctly.
> Thanks to [~kliew] for bringing this one to my attention.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
