[ https://issues.apache.org/jira/browse/CALCITE-1282?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Josh Elser resolved CALCITE-1282. --------------------------------- Resolution: Fixed Fixed in https://git1-us-west.apache.org/repos/asf?p=calcite.git;a=commit;h=6000c9e7c24d487517df1f93a3a174e38821cdae > Avatica will only accept SPNEGO-authenticated clients from the same realm as > the server's principal > --------------------------------------------------------------------------------------------------- > > Key: CALCITE-1282 > URL: https://issues.apache.org/jira/browse/CALCITE-1282 > Project: Calcite > Issue Type: Bug > Components: avatica > Affects Versions: avatica-1.8.0 > Reporter: Josh Elser > Assignee: Josh Elser > Priority: Critical > Fix For: avatica-1.9.0 > > > When setting up the Jetty security Constraint class, Jetty treats Kerberos > realms as "roles". When configuring allowed users to Jetty with some > constraint, you have to set what roles (realms) are allowed. > Presently, Avatica just sets the realm of the server's principal as allowed, > which means that in some multi-realm KDC (or cross-domain MIT KRB+Active > Directory) setup, users from the other realm which should be allowed are > denied. > Even better, Jetty's syntax for {{\*}} for allowing any role (realm) doesn't > actually work. Their logic in 9.2.15 for {{ConstraintSecurityHandler}} > appears broken: > {code} > //handle * role constraint > if (roleInfo.isAnyRole() && request.getUserPrincipal() != null && > isUserInRole) > { > return true; > } > {code} > The above check should let users through with any role when {{isAnyRole()}} > returns true, but the final {{isUserInRole}} check requires that the role is > explicitly listed in the list of allowedRoles. > As such, we're going to need to expose an API which allows users to set a > list of allowed realms since Jetty is busted to make Kerberos authentication > actually work correctly. > Thanks to [~kliew] for bringing this one to my attention. -- This message was sent by Atlassian JIRA (v6.3.4#6332)