Michael Ho has posted comments on this change. ( http://gerrit.cloudera.org:8080/8270 )
Change subject: IMPALA-5053: [SECURITY] Make KRPC work with Kerberos ...................................................................... Patch Set 6: (1 comment) http://gerrit.cloudera.org:8080/#/c/8270/6/be/src/rpc/rpc-mgr.cc File be/src/rpc/rpc-mgr.cc: http://gerrit.cloudera.org:8080/#/c/8270/6/be/src/rpc/rpc-mgr.cc@75 PS6, Line 75: FLAGS_rpc_authentication = "required"; > Seems that we should still explicitly set FLAGS_rpc_authentication unless t As discussed offline, this flag also affects the Kudu client so it's best to leave FLAGS_rpc_authentication as the default value of optional for now until we change the messenger builder's interface to take authentication as an option (i.e. KUDU-2288). Please leave a comment about KUDU-2288 here. Some older Kudu servers may not support Kerberos so forcing the FLAGS_rpc_authentication as "required" when Kerberos is enabled in Impala may actually break communication with older Kudu server. That said, once KUDU-2288 is fixed, we do need to pass "required" for the authentication option when building the messenger so as to disallow plain text option and negotiation will fail if the remote peer doesn't support Kerberos. Similarly, we may need to force it to "disabled" if Kerberos is not enabled in Impala as Impala will not do a Kinit in that case and the default behavior of "optional" means both Impalad nodes will choose Kerberos as the authentication mechanism if available but the negotiation will always fail as the client didn't do a Kinit. This arguably is a bug in Kudu but it seems a reasonable workaround for now to force "disabled" in that case. -- To view, visit http://gerrit.cloudera.org:8080/8270 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I8cec5cca5fdb4b1d46bab19e86cb1a8a3ad718fd Gerrit-Change-Number: 8270 Gerrit-PatchSet: 6 Gerrit-Owner: Sailesh Mukil <sail...@cloudera.com> Gerrit-Reviewer: Michael Ho <k...@cloudera.com> Gerrit-Reviewer: Sailesh Mukil <sail...@cloudera.com> Gerrit-Comment-Date: Fri, 01 Dec 2017 07:40:47 +0000 Gerrit-HasComments: Yes
