Tim Armstrong has posted comments on this change. ( http://gerrit.cloudera.org:8080/15351 )
Change subject: IMPALA-9456: allow disabling kerberos selectively ...................................................................... Patch Set 2: (5 comments) http://gerrit.cloudera.org:8080/#/c/15351/2/be/src/common/global-flags.cc File be/src/common/global-flags.cc: http://gerrit.cloudera.org:8080/#/c/15351/2/be/src/common/global-flags.cc@55 PS2, Line 55: DEFINE_bool(skip_internal_kerberos_auth, false, : "(Advanced) skip kerberos authentication for incoming internal connections from " : "other daemons within the Impala cluster (i.e. impalads, statestored, catalogd). " : "Must be set to the same value across all daemons. Only has an effect if --principal " : "is set, i.e. Kerberos is enabled."); : DEFINE_bool(skip_external_kerberos_auth, false, : "(Advanced) skip kerberos authentication for incoming external connections to " : "this daemon, e.g. clients connecting to the HS2 interface. Only has an effect " : "if --principal is set, i.e. Kerberos is enabled."); > what category does impalad-HMS connections fall into? Neither - those are outgoing connections. http://gerrit.cloudera.org:8080/#/c/15351/2/be/src/rpc/authentication.cc File be/src/rpc/authentication.cc: http://gerrit.cloudera.org:8080/#/c/15351/2/be/src/rpc/authentication.cc@a958 PS2, Line 958: > i think the docs for this method in authentication.h need to be updated to Done http://gerrit.cloudera.org:8080/#/c/15351/2/be/src/rpc/authentication.cc@1231 PS2, Line 1231: // Flags | Internal | External : // --------- | -------- | -------- : // None | NoAuth | NoAuth : // LDAP only | NoAuth | Sasl(ldap) : // Kerb only | Sasl(be) | Sasl(fe) : // Both | Sasl(be) | Sasl(fe+ldap) > does this table need to be updated? it seems there are a few more options n I updated this comment a little bit. I didn't try to expand the table (16 rows would get unwieldy), but I think the impact of those flags on the table is easily explained. http://gerrit.cloudera.org:8080/#/c/15351/2/be/src/rpc/authentication.cc@1293 PS2, Line 1293: > "and" Done http://gerrit.cloudera.org:8080/#/c/15351/2/be/src/rpc/authentication.cc@1295 PS2, Line 1295: kerberos_internal_principal > what about the renew thread for the external principal? Added a comment to explain why it's not needed. Basically servers in kerberos do not need to kinit because they don't need to acquire tickets for outbound connections. This is the same behaviour as before this patch but with less indirection - external_auth_provider has is_internal_ = false, which means needs_kinit_ = false. -- To view, visit http://gerrit.cloudera.org:8080/15351 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I3b1c641e05e588287e4d9d9cd8389d96fc71cf74 Gerrit-Change-Number: 15351 Gerrit-PatchSet: 2 Gerrit-Owner: Tim Armstrong <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Sahil Takiar <[email protected]> Gerrit-Reviewer: Tim Armstrong <[email protected]> Gerrit-Comment-Date: Mon, 09 Mar 2020 21:43:41 +0000 Gerrit-HasComments: Yes
