Gergely Farkas has uploaded this change for review. (
http://gerrit.cloudera.org:8080/19561
Change subject: IMPALA-11726: Allow LDAP user and group filter when Kerberos is
enabled
......................................................................
IMPALA-11726: Allow LDAP user and group filter when Kerberos is enabled
This change does two things for the Kerberos authentication support
for impala-shell:
1) Introduces allow_custom_ldap_filters_with_kerberos_auth flag,
which removes the restriction that prevents to use LDAP group/user
search filters when Kerberos authentication is enabled. When the flag
is set both Kerberos and LDAP can work with impala-shell even if the
group/user filters are defined. The flag default value is false,
which ensures backwards compatibility.
2) Introduces enable_group_filter_check_for_authenticated_kerberos_user
flag, which enables the check of group filters with the authenticated
Kerberos principal. This flag makes sense if Kerberos and LDAP
authentication is enabled and the users in the KDC and LDAP are
synchronized (e.g. Active Directory provides both LDAP and Kerberos
authentication).
The flag default value is false, which ensures backwards compatibility.
Tests:
- New unit test created to check the behavior of AuthManager with
and without allow_custom_ldap_filters_with_kerberos_auth flag.
- New custom cluster tests created:
- impala-shell tests that validate existing LDAP search bind
functionality with Kerberos authentication enabled
(LdapSearchBindKerberosEnabledImpalaShellTest),
- impala-shell tests that valudate existing LDAP simple bind
functionality with Kerberos authentication enabled
(LdapSimpleBindKerberosEnabledImpalaShellTest),
- impala-shell tests that validate backwards compatibility
when allow_custom_ldap_filters_with_kerberos_auth flag is
disabled (LdapSearchBindDefaultFiltersKerberosImpalaShellTest)
- various impala-shell tests that validate Kerberos
authentication in an environment where LDAP authentication
is also enabled (LdapKerberosImpalaShellTest)
- Manual tests with a snapshot build in CDP PVC DS with LDAP and
Kerberos authentication enabled, user and group filters provided.
Change-Id: If3ca9c4ff8a17167e5233afabdd14c948edb46de
---
M be/src/rpc/authentication-test.cc
M be/src/rpc/authentication.cc
M be/src/util/ldap-util.cc
A fe/src/test/java/org/apache/impala/customcluster/KerberosKdcEnvironment.java
M fe/src/test/java/org/apache/impala/customcluster/LdapImpalaShellTest.java
A
fe/src/test/java/org/apache/impala/customcluster/LdapKerberosImpalaShellTest.java
A
fe/src/test/java/org/apache/impala/customcluster/LdapKerberosImpalaShellTestBase.java
A
fe/src/test/java/org/apache/impala/customcluster/LdapSearchBindDefaultFiltersKerberosImpalaShellTest.java
A
fe/src/test/java/org/apache/impala/customcluster/LdapSearchBindKerberosEnabledImpalaShellTest.java
A
fe/src/test/java/org/apache/impala/customcluster/LdapSimpleBindKerberosEnabledImpalaShellTest.java
M fe/src/test/java/org/apache/impala/customcluster/RunShellCommand.java
A fe/src/test/resources/adschema.ldif
A fe/src/test/resources/adusers.ldif
13 files changed, 1,439 insertions(+), 22 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/61/19561/1
--
To view, visit http://gerrit.cloudera.org:8080/19561
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: If3ca9c4ff8a17167e5233afabdd14c948edb46de
Gerrit-Change-Number: 19561
Gerrit-PatchSet: 1
Gerrit-Owner: Gergely Farkas <[email protected]>
