Hello Dan Burkert, Alexey Serbin,
I'd like you to do a code review. Please visit
http://gerrit.cloudera.org:8080/4763
to review the following change.
Change subject: rpc: support GSSAPI authentication
......................................................................
rpc: support GSSAPI authentication
This patch consists of a bunch of changes necessary to support GSSAPI
(Kerberos) authentication during RPC negotiation:
- rename the authenticated user field from 'plain_auth_user' to
'authenticated_user' and set it from the SASL_USERNAME property.
- make the calls to enable various SASL mechanisms before initializing
the SASL client: it seems that the client grabs the mechanism option
during sasl_client_init, rather than on the first step, so it wasn't
picking up the GSSAPI mechanism without reordering this. This caused a
bunch of associated reorderings in the tests.
- add code to actually enable the GSSAPI mechanism.
There are a few related test changes as well:
- MiniKDC can now create keytabs for service principals.
- MiniKDC has the ability to set the krb5-related environment variables.
I spent quite some time trying to figure out how to programmatically
pass these things in on a per-connection basis and came up
empty-handed except for amusing comments like 'FIXME: This code is
broken' where the SASL GSSAPI implementation has a half-baked
implementation of programmatic keytab-setting.
The test for this ability uses the krb5 API directly to verify that
a kinitted user shows up in the local process's view of the ticket
cache. If we don't want to inherit the direct dependency on the krb5
headers, we could remove this test.
- The top-level test_main (which runs all tests) now explicitly
overrides a few krb5-related environment variables so that whatever
settings the user might have (either in env variables or in
/etc/krb5.conf) will not be picked up by tests.
Change-Id: I3c1b93045acd428ef3437597059c5106b03e25d0
---
M src/kudu/rpc/CMakeLists.txt
M src/kudu/rpc/constants.cc
M src/kudu/rpc/negotiation.cc
M src/kudu/rpc/sasl_client.cc
M src/kudu/rpc/sasl_client.h
M src/kudu/rpc/sasl_common.cc
M src/kudu/rpc/sasl_common.h
M src/kudu/rpc/sasl_helper.cc
M src/kudu/rpc/sasl_helper.h
M src/kudu/rpc/sasl_rpc-test.cc
M src/kudu/rpc/sasl_server.cc
M src/kudu/rpc/sasl_server.h
M src/kudu/security/CMakeLists.txt
M src/kudu/security/mini_kdc-test.cc
M src/kudu/security/mini_kdc.cc
M src/kudu/security/mini_kdc.h
M src/kudu/util/test_main.cc
17 files changed, 306 insertions(+), 45 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/63/4763/1
--
To view, visit http://gerrit.cloudera.org:8080/4763
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I3c1b93045acd428ef3437597059c5106b03e25d0
Gerrit-PatchSet: 1
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Todd Lipcon <[email protected]>
Gerrit-Reviewer: Alexey Serbin <[email protected]>
Gerrit-Reviewer: Dan Burkert <[email protected]>
