> On July 27, 2017, 3:55 p.m., Robert Levas wrote: > > ambari-server/src/main/java/org/apache/ambari/server/serveraction/upgrades/FixAuthToLocalMappingAction.java > > Lines 36-37 (patched) > > <https://reviews.apache.org/r/61168/diff/2/?file=1784339#file1784339line36> > > > > There may be lots of different auth-to-local rule sets. The main one > > is `core-site/hadoop.security.auth_to_local`. > > > > See > > `org.apache.ambari.server.state.kerberos.KerberosDescriptor#getAllAuthToLocalProperties` > > > > For example: > > > > - `kms-site/hadoop.kms.authentication.kerberos.name.rules` > > - > > `falcon-startup.properties/*.falcon.http.authentication.kerberos.name.rules` > > Sid Wagle wrote: > Hi Rob, I haven't verified RANGER upgrade works find or not. Does your > comment point to checking there auth_to_local for the exact same > inconsistencies? I have manually verified this works for HIVE, can we get > this change in and fix as we hit issues? We can use the same class and make > changes as needed.
I think that we should solve this for all managed auth-to-local rule sets. I am not keen on the implication of having the SPNEGO (`HTTP`) identitiy translating to local system user. That could be dangerous espically when that user is _proxyuser_. This issue will not be cause via testing, so it will get unnoticed until a security violoation is detected. > On July 27, 2017, 3:55 p.m., Robert Levas wrote: > > ambari-server/src/main/java/org/apache/ambari/server/serveraction/upgrades/FixAuthToLocalMappingAction.java > > Lines 83 (patched) > > <https://reviews.apache.org/r/61168/diff/2/?file=1784339#file1784339line83> > > > > Technically there should be no HTTP rule in the auth_to_local rules. > > This is not really a user identitiy. > > Sid Wagle wrote: > So the local user mapping of this rule does not matter, we should remove > the HTTP rule? I will update the patch accordingly. Yes... remove the HTTP rule no matter what the translation is. `HTTP/_HOST` should always translate using the `DEFAULT` rule. - Robert ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/61168/#review181606 ----------------------------------------------------------- On July 27, 2017, 5:36 p.m., Sid Wagle wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/61168/ > ----------------------------------------------------------- > > (Updated July 27, 2017, 5:36 p.m.) > > > Review request for Ambari, Attila Doroszlai, Alejandro Fernandez, Jonathan > Hurley, Robert Levas, and Sumit Mohanty. > > > Bugs: AMBARI-21577 > https://issues.apache.org/jira/browse/AMBARI-21577 > > > Repository: ambari > > > Description > ------- > > Hive Service check is failing :- > > {code} > HTTP/[email protected] is not allowed to > impersonate ambari-qa > {code} > > Patch executes custom action to remove offending rules. > > > Diffs > ----- > > > ambari-server/src/main/java/org/apache/ambari/server/serveraction/upgrades/FixAuthToLocalMappingAction.java > PRE-CREATION > > ambari-server/src/main/resources/stacks/BigInsights/4.2.5/upgrades/nonrolling-upgrade-to-hdp-2.6.xml > 684acfa > > ambari-server/src/main/resources/stacks/BigInsights/4.2/upgrades/nonrolling-upgrade-to-hdp-2.6.xml > 484e459 > > ambari-server/src/test/java/org/apache/ambari/server/serveraction/upgrades/FixAuthToLocalMappingActionTest.java > PRE-CREATION > > > Diff: https://reviews.apache.org/r/61168/diff/4/ > > > Testing > ------- > > Manually verified. > > > Thanks, > > Sid Wagle > >
