Sailesh Mukil has uploaded a new change for review. http://gerrit.cloudera.org:8080/7689
Change subject: IMPALA-5804 (step-1): Cherry-pick KUDU-2087 ...................................................................... IMPALA-5804 (step-1): Cherry-pick KUDU-2087 KUDU-2087: Fix failure to map Kerberos principal to username with FreeIPA FreeIPA is a piece of software that automates and simplifies management of MIT krb5, SSSD, some LDAP service, etc. FreeIPA configures a localauth plugin[1] in krb5.conf to map Kerberos principals to local usernames. In this configuration, Kudu daemons were failing to start up due to failure to map their own service principals back to a username. This is due to a number of issues: 1) FreeIPA distinguishes between service principals and user principals and doesn't store a 'uid' field in LDAP for service principals. Thus, when 'sssd' tries to map a service principal to a local unix user, it determines that there is no such user (ie getpwnam() fails). This is by design, best I can tell. 2) sssd's implementation of krb5_auth_to_localname[1] uses getpwnam to try to map the kerberos principal to the local username. Because of the above, it fails for service principals. 3) Prior to el7.3, ssd configures krb5 with 'enable_only = sssd' in the localauth plugin section. This means that if sssd fails to perform the mapping, it does not fall back to other mappings defined in krb5.conf (eg explicitly defined auth_to_local rules). See [2] 4) Even after 7.3, there is an additional bug in sssd which I just filed[3], which causes the fallback to still not work. Because of this, we're getting the KRB5_PLUGIN_NO_HANDLE error code back up at the Kudu layer. We already have our own fallback case for KRB5_LNAME_NO_TRANS, and it seems like we should just be handling PLUGIN_NO_HANDLE in the same way to workaround the above behavior. I tested this patch on a FreeIPA-configured system on el6.7. I was able to successfully start a master with a FreeIPA-provided keytab and authentication required, and use 'kudu table list' to authenticate to it. [1] https://github.com/SSSD/sssd/blob/master/src/krb5_plugin/sssd_krb5_localauth_plugin.c [2] https://bugzilla.redhat.com/show_bug.cgi?id=1297462 [3] https://pagure.io/SSSD/sssd/issue/3459 Change-Id: Icf1541e41722c5f718d152bd531f14f270edc76d --- M be/src/kudu/security/init.cc 1 file changed, 5 insertions(+), 1 deletion(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/89/7689/1 -- To view, visit http://gerrit.cloudera.org:8080/7689 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Icf1541e41722c5f718d152bd531f14f270edc76d Gerrit-PatchSet: 1 Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-Owner: Sailesh Mukil <[email protected]>
