Gergely Farkas has posted comments on this change. ( http://gerrit.cloudera.org:8080/19561 )
Change subject: IMPALA-11726: Allow LDAP user and group filter when Kerberos is enabled ...................................................................... Patch Set 6: (1 comment) http://gerrit.cloudera.org:8080/#/c/19561/6/be/src/rpc/authentication.cc File be/src/rpc/authentication.cc: http://gerrit.cloudera.org:8080/#/c/19561/6/be/src/rpc/authentication.cc@988 PS6, Line 988: if (FLAGS_enable_ldap_auth || IsKerberosEnabled()) { > Thank you for the detailed answer. Just trying to better understand the exe Makes sense! Callbacks in KERB_INT_CALLBACKS and KERB_EXT_CALLBACKS aren't chained, since the callbacks in KERB_INT_CALLBACKS are configured only on the ports used for (internal) communication between daemons. On the other hand, callbacks in KERB_EXT_CALLBACKS are configured on ports used for external communication. Callbacks in KERB_EXT_CALLBACKS and LDAP_EXT_CALLBACKS are not chained, because they are involved in different authentication mechanisms: Callbacks in LDAP_EXT_CALLBACKS are used when the authentication mechanism is PLAIN, where we have a username and a password, while callbacks in KERB_EXT_CALLBACKS (or in KERB_INT_CALLBACKS) are used when the authentication mechanism is GSSAPI, where we don't have user and password, but only a user principal. My first idea was to reuse the already implemented SaslLdapCheckPass function, and add a SASL_CB_SERVER_USERDB_CHECKPASS callback to the Kerberos callbacks. That's what I did, and I also created a new unit test for validating the behavior, but the test did not pass. It turned out that this callback does not play a role in GSSAPI auth scenario, so defining this callback in the Kerberos callbacks does not solve the problem. -- To view, visit http://gerrit.cloudera.org:8080/19561 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: If3ca9c4ff8a17167e5233afabdd14c948edb46de Gerrit-Change-Number: 19561 Gerrit-PatchSet: 6 Gerrit-Owner: Gergely Farkas <[email protected]> Gerrit-Reviewer: Csaba Ringhofer <[email protected]> Gerrit-Reviewer: Gergely Farkas <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Tamas Mate <[email protected]> Gerrit-Reviewer: Wenzhe Zhou <[email protected]> Gerrit-Comment-Date: Tue, 07 Mar 2023 11:31:03 +0000 Gerrit-HasComments: Yes
