Gabriella Lotz has uploaded this change for review. ( http://gerrit.cloudera.org:8080/23153
Change subject: [REST API] Mapping Kerberos principals to local usernames ...................................................................... [REST API] Mapping Kerberos principals to local usernames The REST API was failing authorization checks for authenticated Kerberos users due to a mismatch between the authentication and authorization username formats. When users authenticate via SPNEGO, the webserver extracts the full Kerberos principal (e.g., "[email protected]") and passes it directly to the authorization layer. However, Ranger policies are configured with short usernames (e.g., "test-user"), causing authorization to fail even for properly authenticated users with valid policies. This created an inconsistency where the same user with identical Ranger policies could successfully perform operations via the RPC API but would be denied when using the REST API. The RPC layer correctly maps Kerberos principals to local usernames using MapPrincipalToLocalName() before authorization, but the REST API was bypassing this step. This patch adds principal-to-local username mapping to all REST API authorization points in rest_catalog_path_handlers.cc. The implementation uses the same MapPrincipalToLocalName() function as the RPC layer, ensuring consistent behavior across both APIs. The mapping fails securely, returning HTTP 403 if a Kerberos principal cannot be mapped. Change-Id: Ib25a7886c32cbbef35272cd5799ae84601335a34 --- M src/kudu/master/rest_catalog_path_handlers.cc 1 file changed, 69 insertions(+), 5 deletions(-) git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/53/23153/1 -- To view, visit http://gerrit.cloudera.org:8080/23153 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: newchange Gerrit-Change-Id: Ib25a7886c32cbbef35272cd5799ae84601335a34 Gerrit-Change-Number: 23153 Gerrit-PatchSet: 1 Gerrit-Owner: Gabriella Lotz <[email protected]>
