Tim Armstrong has uploaded this change for review. (
http://gerrit.cloudera.org:8080/15351
Change subject: IMPALA-9456: allow disabling kerberos selectively
......................................................................
IMPALA-9456: allow disabling kerberos selectively
There are specific use cases where we need to talk to kerberized
services (HMS, etc) and want to keep our TGT up to date using Impala's
kinit infrastructure, but don't want to kerberize all connections.
Adds --skip_internal_kerberos_auth and --skip_external_kerberos_auth
to disable Kerberos authentication for incoming connections even if
--principal is set. The daemon does a kinit and keeps tickets
up-to-date with the background thread even if kerberos is disabled
for all incoming connections.
Behaviour only changes when those flags are toggled.
The change required restructuring the code a bit, specifically
pulling the call to InitKerberosForServer() out of
SecureAuthProvider, which I think is a net improvement that makes
the control flow clearer.
Testing:
Add unit tests to:
* confirm that the kinit occurs even with auth disabled.
* confirm that incoming KRPC connections do not require authentication.
I would have liked to add automated tests for thrift interfaces but did
not have the infrastructure to unit-test it. I think the changes I made
are fairly low risk because they do not increase the number of code paths
in AuthManager::Init() and can be verified by inspection. The tests I
would have liked to add are:
* confirm that incoming external connections do not require auth
* confirm that internal thrift connections do not require auth.
Manually started kerberized minicluster with internal/external kerberos
disabled, e.g. with the command line:
start-impala-cluster.py
--impalad_args=--skip_external_kerberos_auth=true
--impalad_args=--skip_internal_kerberos_auth=true
--state_store_args=--skip_internal_kerberos_auth=true
--catalogd_args=--skip_internal_kerberos_auth=true
Confirmed that impala-shell connected without -k when
--skip_external_kerberos_auth=true and requires -k otherwise.
Confirmed that we could run queries against HDFS tables even
with internal and external auth disabled. Checked logs to see
that tickets were reacquired.
I0303 08:33:49.319911 16079 init.cc:303] Successfully reacquired a new
kerberos TGT
Tested that a partially kerberised minicluster worked as expected, i.e.
that impalad <-> catalog/statestore connections can have auth disabled
so that the impalad can authenticate even if it does not have the right
principal set. The first start-impala-cluster.py command below succeeds
but the second and third fail because they cannot authenticate with the
catalog and statestore respectively because the processes did not kinit
as the impala principal.
kinit -kt impala.keytab tarmstrong/[email protected]
start-impala-cluster.py --impalad_args='--principal="" --be_principal=""
--keytab_file="" --krb5_ccname="/tmp/krb5cc_1000"'
--state_store_args=--skip_internal_kerberos_auth=true
--catalogd_args=--skip_internal_kerberos_auth=true
kinit -kt impala.keytab tarmstrong/[email protected]
start-impala-cluster.py --impalad_args='--principal="" --be_principal=""
--keytab_file="" --krb5_ccname="/tmp/krb5cc_1000"'
--state_store_args=--skip_internal_kerberos_auth=false
--catalogd_args=--skip_internal_kerberos_auth=true
kinit -kt impala.keytab tarmstrong/[email protected]
start-impala-cluster.py --impalad_args='--principal="" --be_principal=""
--keytab_file="" --krb5_ccname="/tmp/krb5cc_1000"'
--state_store_args=--skip_internal_kerberos_auth=false
--catalogd_args=--skip_internal_kerberos_auth=true
Change-Id: I3b1c641e05e588287e4d9d9cd8389d96fc71cf74
---
M be/src/common/global-flags.cc
M be/src/rpc/auth-provider.h
M be/src/rpc/authentication-test.cc
M be/src/rpc/authentication.cc
M be/src/rpc/rpc-mgr-kerberized-test.cc
M be/src/rpc/rpc-mgr.cc
M be/src/util/auth-util.h
7 files changed, 128 insertions(+), 52 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/51/15351/2
--
To view, visit http://gerrit.cloudera.org:8080/15351
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I3b1c641e05e588287e4d9d9cd8389d96fc71cf74
Gerrit-Change-Number: 15351
Gerrit-PatchSet: 2
Gerrit-Owner: Tim Armstrong <[email protected]>
Gerrit-Reviewer: Impala Public Jenkins <[email protected]>
