Tim Armstrong has posted comments on this change. ( http://gerrit.cloudera.org:8080/15340 )
Change subject: IMPALA-9430: always pass through kerberos configs ...................................................................... Patch Set 5: (3 comments) http://gerrit.cloudera.org:8080/#/c/15340/5//COMMIT_MSG Commit Message: http://gerrit.cloudera.org:8080/#/c/15340/5//COMMIT_MSG@15 PS5, Line 15: Having them pick up different : kerberos settings if internal communication is disabled is weird It'll fall back to whatever the default behaviour of libkrb5 and the Java kerberos implementation is - which first look at environment vars or JVM args, then fall back to whatever their defaults are. > does that mean this patch is basically an improvement to how Kerberos get's > configured? e.g. before this patch, you couldn't use Impala flags to > configure external Kerberos authentication (unless --principal is set), but > after this patch you can? Yeah exactly. It means you can configure the kerberos libraries *without* setting --principal. Which is a good thing because those kerberos libraries *can* be used for outgoing connections even if --principal is not set. http://gerrit.cloudera.org:8080/#/c/15340/5//COMMIT_MSG@19 PS5, Line 19: It matches the documentation of the flags I updated --principal to explain better what it does. The key thing is that it's implicitly referring to incoming connections. E.g. incoming external connections means client connections to HS2 or beeswax, whereas incoming internal connections means the various internal interfaces - KRPC, the backend thrift stuff, statestore, catalog. Outgoing connections are kinda glossed over in those comments, and those are handled internally in different libraries. The kinit behaviour *does* affect those - it's the difference between acquiring a new TGT as --principal and picking up whatever principal was in the credential cache from a kinit. > impala-HMS connections can be kerberized without --principal being set This was the case before and after this change. But before this change you'd have to configure it indirectly by setting JAVA_TOOL_OPTIONS, and the various KRB5 env vars. http://gerrit.cloudera.org:8080/#/c/15340/5/be/src/rpc/rpc-mgr-kerberized-test.cc File be/src/rpc/rpc-mgr-kerberized-test.cc: http://gerrit.cloudera.org:8080/#/c/15340/5/be/src/rpc/rpc-mgr-kerberized-test.cc@206 PS5, Line 206: // Check that the above changes went into the appropriate env variables. : EXPECT_EQ("/tmp/DisabledKerberosConfigsKeytab", string(getenv("KRB5_KTNAME"))); : EXPECT_EQ("/tmp/DisabledKerberosConfigsCC", string(getenv("KRB5CCNAME"))); : EXPECT_EQ("/tmp/DisabledKerberosConfigsConf", string(getenv("KRB5_CONFIG"))); : EXPECT_EQ("/tmp/DisabledKerberosConfigsDebug", string(getenv("KRB5_TRACE"))); > just to clarify, the kerberos config flags get passed to Hadoop via these e yup. enhanced the comment. -- To view, visit http://gerrit.cloudera.org:8080/15340 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: If4bb311c7ab7173232aab36c5ed801f93f38f5b9 Gerrit-Change-Number: 15340 Gerrit-PatchSet: 5 Gerrit-Owner: Tim Armstrong <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Sahil Takiar <[email protected]> Gerrit-Reviewer: Tim Armstrong <[email protected]> Gerrit-Comment-Date: Sat, 07 Mar 2020 01:26:02 +0000 Gerrit-HasComments: Yes
