[jira] [Resolved] (CALCITE-1282) Avatica will only accept SPNEGO-authenticated clients from the same realm as the server's principal

Thu, 09 Jun 2016 15:48:02 -0700 

     [ 
https://issues.apache.org/jira/browse/CALCITE-1282?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Josh Elser resolved CALCITE-1282.
---------------------------------
    Resolution: Fixed

Fixed in 
https://git1-us-west.apache.org/repos/asf?p=calcite.git;a=commit;h=6000c9e7c24d487517df1f93a3a174e38821cdae

> Avatica will only accept SPNEGO-authenticated clients from the same realm as 
> the server's principal
> ---------------------------------------------------------------------------------------------------
>
>                 Key: CALCITE-1282
>                 URL: https://issues.apache.org/jira/browse/CALCITE-1282
>             Project: Calcite
>          Issue Type: Bug
>          Components: avatica
>    Affects Versions: avatica-1.8.0
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>            Priority: Critical
>             Fix For: avatica-1.9.0
>
>
> When setting up the Jetty security Constraint class, Jetty treats Kerberos 
> realms as "roles". When configuring allowed users to Jetty with some 
> constraint, you have to set what roles (realms) are allowed.
> Presently, Avatica just sets the realm of the server's principal as allowed, 
> which means that in some multi-realm KDC (or cross-domain MIT KRB+Active 
> Directory) setup, users from the other realm which should be allowed are 
> denied.
> Even better, Jetty's syntax for {{\*}} for allowing any role (realm) doesn't 
> actually work. Their logic in 9.2.15 for {{ConstraintSecurityHandler}} 
> appears broken:
> {code}
>         //handle * role constraint
>         if (roleInfo.isAnyRole() && request.getUserPrincipal() != null && 
> isUserInRole)
>         {
>             return true;
>         }
> {code}
> The above check should let users through with any role when {{isAnyRole()}} 
> returns true, but the final {{isUserInRole}} check requires that the role is 
> explicitly listed in the list of allowedRoles.
> As such, we're going to need to expose an API which allows users to set a 
> list of allowed realms since Jetty is busted to make Kerberos authentication 
> actually work correctly.
> Thanks to [~kliew] for bringing this one to my attention.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to