[kudu-CR] [webserver] Mapping Kerberos principals to local usernames

Fri, 18 Jul 2025 01:43:54 -0700 

Hello Marton Greber, Zoltan Chovan, Kudu Jenkins,

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/23153

to look at the new patch set (#3).

Change subject: [webserver] Mapping Kerberos principals to local usernames
......................................................................

[webserver] Mapping Kerberos principals to local usernames

The REST API was failing authorization checks for authenticated
Kerberos users due to a mismatch between the authentication and
authorization username formats. When users authenticate via SPNEGO,
the webserver extracts the full Kerberos principal
(e.g., "[email protected]") and passes it directly to the
authorization layer. However, Ranger policies are configured with
short usernames (e.g., "test-user"), causing authorization to fail
even for properly authenticated users with valid policies.

This created an inconsistency where the same user with identical
Ranger policies could successfully perform operations via the RPC API
but would be denied when using the REST API. The RPC layer correctly
maps Kerberos principals to local usernames using
MapPrincipalToLocalName() before authorization, but the REST API was
bypassing this step.

This patch adds principal-to-local username mapping to all webserver
authorization points in webserver.cc. The implementation uses the same
MapPrincipalToLocalName() function as the RPC layer, ensuring
consistent behavior across both APIs.

Moreover, the WebRequest struct had an authn_princ field that was
renamed to username to better reflect its purpose, as it now contains
the local username after mapping.

Change-Id: Ib25a7886c32cbbef35272cd5799ae84601335a34
---
M src/kudu/master/rest_catalog_path_handlers.cc
M src/kudu/server/webserver-test.cc
M src/kudu/server/webserver.cc
M src/kudu/util/web_callback_registry.h
4 files changed, 22 insertions(+), 11 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/53/23153/3
--
To view, visit http://gerrit.cloudera.org:8080/23153
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ib25a7886c32cbbef35272cd5799ae84601335a34
Gerrit-Change-Number: 23153
Gerrit-PatchSet: 3
Gerrit-Owner: Gabriella Lotz <[email protected]>
Gerrit-Reviewer: Gabriella Lotz <[email protected]>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Marton Greber <[email protected]>
Gerrit-Reviewer: Zoltan Chovan <[email protected]>

Reply via email to