[Impala-ASF-CR] IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/16252 ) Change subject: IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user .. Patch Set 7: Verified+1 -- To view, visit http://gerrit.cloudera.org:8080/16252 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I9ca8e1a0466288225efbe05b2d0068b8241df070 Gerrit-Change-Number: 16252 Gerrit-PatchSet: 7 Gerrit-Owner: Thomas Tauber-Marshall Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Tamas Mate Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Tim Armstrong Gerrit-Comment-Date: Fri, 14 Aug 2020 01:42:29 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user
Impala Public Jenkins has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/16252 ) Change subject: IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user .. IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user This patch fixes the integration between LDAP filters and proxy users by ensuring that the 'impala.doas.user' HS2 config option is considered when applying filters. This requires deferring checking the filters until the OpenSession() call. This patch also introduces new flags --ldap_bind_dn and --ldap_bind_password_cmd which must be specified in order to use LDAP filters, unless the LDAP server is set up to allow anonymous binds. It also uses some gflag utilities from Kudu to tag --ldap_bind_password_cmd as sensitive and redact it on the webui and in logging in order to increase security in case a user specifies it as 'echo ' These config options are modeled after equivalent options in Hue: https://github.com/cloudera/hue/blob/master/desktop/conf.dist/hue.ini#L425 Testing: - Added a test that uses the 'impala.doas.user' config with LDAP filters. Change-Id: I9ca8e1a0466288225efbe05b2d0068b8241df070 Reviewed-on: http://gerrit.cloudera.org:8080/16252 Reviewed-by: Impala Public Jenkins Tested-by: Impala Public Jenkins --- M be/src/common/logging.cc M be/src/rpc/authentication.cc M be/src/service/impala-hs2-server.cc M be/src/service/impala-server.cc M be/src/service/impala-server.h M be/src/util/default-path-handlers.cc M be/src/util/ldap-util.cc M be/src/util/ldap-util.h M be/src/util/webserver.cc M fe/src/test/java/org/apache/impala/customcluster/LdapHS2Test.java M fe/src/test/java/org/apache/impala/customcluster/LdapImpalaShellTest.java M fe/src/test/java/org/apache/impala/customcluster/LdapWebserverTest.java M fe/src/test/java/org/apache/impala/testutil/LdapUtil.java 13 files changed, 235 insertions(+), 57 deletions(-) Approvals: Impala Public Jenkins: Looks good to me, approved; Verified -- To view, visit http://gerrit.cloudera.org:8080/16252 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: I9ca8e1a0466288225efbe05b2d0068b8241df070 Gerrit-Change-Number: 16252 Gerrit-PatchSet: 8 Gerrit-Owner: Thomas Tauber-Marshall Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Tamas Mate Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Tim Armstrong
[Impala-ASF-CR] IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/16252 ) Change subject: IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user .. Patch Set 7: Build started: https://jenkins.impala.io/job/gerrit-verify-dryrun/6290/ DRY_RUN=false -- To view, visit http://gerrit.cloudera.org:8080/16252 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I9ca8e1a0466288225efbe05b2d0068b8241df070 Gerrit-Change-Number: 16252 Gerrit-PatchSet: 7 Gerrit-Owner: Thomas Tauber-Marshall Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Tamas Mate Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Tim Armstrong Gerrit-Comment-Date: Thu, 13 Aug 2020 20:27:47 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/16252 ) Change subject: IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user .. Patch Set 7: Code-Review+2 -- To view, visit http://gerrit.cloudera.org:8080/16252 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I9ca8e1a0466288225efbe05b2d0068b8241df070 Gerrit-Change-Number: 16252 Gerrit-PatchSet: 7 Gerrit-Owner: Thomas Tauber-Marshall Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Tamas Mate Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Tim Armstrong Gerrit-Comment-Date: Thu, 13 Aug 2020 20:27:46 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user
Thomas Tauber-Marshall has posted comments on this change. ( http://gerrit.cloudera.org:8080/16252 ) Change subject: IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user .. Patch Set 6: Code-Review+2 merge failure due to IMPALA-10054, rebased -- To view, visit http://gerrit.cloudera.org:8080/16252 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I9ca8e1a0466288225efbe05b2d0068b8241df070 Gerrit-Change-Number: 16252 Gerrit-PatchSet: 6 Gerrit-Owner: Thomas Tauber-Marshall Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Tamas Mate Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Tim Armstrong Gerrit-Comment-Date: Wed, 12 Aug 2020 16:18:19 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/16252 ) Change subject: IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user .. Patch Set 5: Verified-1 Build failed: https://jenkins.impala.io/job/gerrit-verify-dryrun/6267/ -- To view, visit http://gerrit.cloudera.org:8080/16252 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I9ca8e1a0466288225efbe05b2d0068b8241df070 Gerrit-Change-Number: 16252 Gerrit-PatchSet: 5 Gerrit-Owner: Thomas Tauber-Marshall Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Tamas Mate Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Tim Armstrong Gerrit-Comment-Date: Tue, 11 Aug 2020 22:40:15 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/16252 ) Change subject: IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user .. Patch Set 5: Code-Review+2 -- To view, visit http://gerrit.cloudera.org:8080/16252 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I9ca8e1a0466288225efbe05b2d0068b8241df070 Gerrit-Change-Number: 16252 Gerrit-PatchSet: 5 Gerrit-Owner: Thomas Tauber-Marshall Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Tamas Mate Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Tim Armstrong Gerrit-Comment-Date: Tue, 11 Aug 2020 17:35:05 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/16252 ) Change subject: IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user .. Patch Set 5: Build started: https://jenkins.impala.io/job/gerrit-verify-dryrun/6267/ DRY_RUN=false -- To view, visit http://gerrit.cloudera.org:8080/16252 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I9ca8e1a0466288225efbe05b2d0068b8241df070 Gerrit-Change-Number: 16252 Gerrit-PatchSet: 5 Gerrit-Owner: Thomas Tauber-Marshall Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Tamas Mate Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Tim Armstrong Gerrit-Comment-Date: Tue, 11 Aug 2020 17:35:05 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user
Tim Armstrong has posted comments on this change. ( http://gerrit.cloudera.org:8080/16252 ) Change subject: IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user .. Patch Set 4: Code-Review+2 -- To view, visit http://gerrit.cloudera.org:8080/16252 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I9ca8e1a0466288225efbe05b2d0068b8241df070 Gerrit-Change-Number: 16252 Gerrit-PatchSet: 4 Gerrit-Owner: Thomas Tauber-Marshall Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Tamas Mate Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Tim Armstrong Gerrit-Comment-Date: Tue, 11 Aug 2020 17:31:27 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/16252 ) Change subject: IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user .. Patch Set 4: Build Successful https://jenkins.impala.io/job/gerrit-code-review-checks/6816/ : Initial code review checks passed. Use gerrit-verify-dryrun-external or gerrit-verify-dryrun to run full precommit tests. -- To view, visit http://gerrit.cloudera.org:8080/16252 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I9ca8e1a0466288225efbe05b2d0068b8241df070 Gerrit-Change-Number: 16252 Gerrit-PatchSet: 4 Gerrit-Owner: Thomas Tauber-Marshall Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Tamas Mate Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Tim Armstrong Gerrit-Comment-Date: Thu, 06 Aug 2020 23:13:24 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user
Thomas Tauber-Marshall has posted comments on this change. ( http://gerrit.cloudera.org:8080/16252 ) Change subject: IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user .. Patch Set 4: (1 comment) http://gerrit.cloudera.org:8080/#/c/16252/2//COMMIT_MSG Commit Message: http://gerrit.cloudera.org:8080/#/c/16252/2//COMMIT_MSG@7 PS2, Line 7: IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user > OK by me Done -- To view, visit http://gerrit.cloudera.org:8080/16252 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I9ca8e1a0466288225efbe05b2d0068b8241df070 Gerrit-Change-Number: 16252 Gerrit-PatchSet: 4 Gerrit-Owner: Thomas Tauber-Marshall Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Tamas Mate Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Tim Armstrong Gerrit-Comment-Date: Thu, 06 Aug 2020 22:40:12 + Gerrit-HasComments: Yes
[Impala-ASF-CR] IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user
Hello Tamas Mate, Tim Armstrong, Impala Public Jenkins, I'd like you to reexamine a change. Please visit http://gerrit.cloudera.org:8080/16252 to look at the new patch set (#4). Change subject: IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user .. IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user This patch fixes the integration between LDAP filters and proxy users by ensuring that the 'impala.doas.user' HS2 config option is considered when applying filters. This requires deferring checking the filters until the OpenSession() call. This patch also introduces new flags --ldap_bind_dn and --ldap_bind_password_cmd which must be specified in order to use LDAP filters, unless the LDAP server is set up to allow anonymous binds. It also uses some gflag utilities from Kudu to tag --ldap_bind_password_cmd as sensitive and redact it on the webui and in logging in order to increase security in case a user specifies it as 'echo ' These config options are modeled after equivalent options in Hue: https://github.com/cloudera/hue/blob/master/desktop/conf.dist/hue.ini#L425 Testing: - Added a test that uses the 'impala.doas.user' config with LDAP filters. Change-Id: I9ca8e1a0466288225efbe05b2d0068b8241df070 --- M be/src/common/logging.cc M be/src/rpc/authentication.cc M be/src/service/impala-hs2-server.cc M be/src/service/impala-server.cc M be/src/service/impala-server.h M be/src/util/default-path-handlers.cc M be/src/util/ldap-util.cc M be/src/util/ldap-util.h M be/src/util/webserver.cc M fe/src/test/java/org/apache/impala/customcluster/LdapHS2Test.java M fe/src/test/java/org/apache/impala/customcluster/LdapImpalaShellTest.java M fe/src/test/java/org/apache/impala/customcluster/LdapWebserverTest.java M fe/src/test/java/org/apache/impala/testutil/LdapUtil.java 13 files changed, 235 insertions(+), 57 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/52/16252/4 -- To view, visit http://gerrit.cloudera.org:8080/16252 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: I9ca8e1a0466288225efbe05b2d0068b8241df070 Gerrit-Change-Number: 16252 Gerrit-PatchSet: 4 Gerrit-Owner: Thomas Tauber-Marshall Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Tamas Mate Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Tim Armstrong
[Impala-ASF-CR] IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user
Tim Armstrong has posted comments on this change. ( http://gerrit.cloudera.org:8080/16252 ) Change subject: IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user .. Patch Set 2: (1 comment) http://gerrit.cloudera.org:8080/#/c/16252/2//COMMIT_MSG Commit Message: http://gerrit.cloudera.org:8080/#/c/16252/2//COMMIT_MSG@7 PS2, Line 7: IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user > That's a good point. It seems that if the LDAP filters are enabled then we OK by me -- To view, visit http://gerrit.cloudera.org:8080/16252 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I9ca8e1a0466288225efbe05b2d0068b8241df070 Gerrit-Change-Number: 16252 Gerrit-PatchSet: 2 Gerrit-Owner: Thomas Tauber-Marshall Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Tamas Mate Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Tim Armstrong Gerrit-Comment-Date: Thu, 06 Aug 2020 02:34:09 + Gerrit-HasComments: Yes
[Impala-ASF-CR] IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user
Thomas Tauber-Marshall has posted comments on this change. ( http://gerrit.cloudera.org:8080/16252 ) Change subject: IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user .. Patch Set 3: (3 comments) http://gerrit.cloudera.org:8080/#/c/16252/2//COMMIT_MSG Commit Message: http://gerrit.cloudera.org:8080/#/c/16252/2//COMMIT_MSG@7 PS2, Line 7: IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user > I was trying to understand the expected interaction between LDAP and Kerber That's a good point. It seems that if the LDAP filters are enabled then we have to be applying them to all connections, even ones that authenticate through Kerberos. Fortunately, the --ldap_bind_user/pass requirement makes that pretty easy to do. Unfortunately, its a tricky thing to test since our support for Kerberos in dev environments is poor, so if its okay I would prefer to leave it for a follow up patch and for now just disallow having the filters specified if Kerberos is also turned on for external connections. http://gerrit.cloudera.org:8080/#/c/16252/2/be/src/util/ldap-util.cc File be/src/util/ldap-util.cc: http://gerrit.cloudera.org:8080/#/c/16252/2/be/src/util/ldap-util.cc@61 PS2, Line 61: "required if user or group filters are being used and the LDAP server is not " > For other password command line flags, we actually have a command that is r Done http://gerrit.cloudera.org:8080/#/c/16252/2/be/src/util/ldap-util.cc@228 PS2, Line 228: > nit: one line? Done -- To view, visit http://gerrit.cloudera.org:8080/16252 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I9ca8e1a0466288225efbe05b2d0068b8241df070 Gerrit-Change-Number: 16252 Gerrit-PatchSet: 3 Gerrit-Owner: Thomas Tauber-Marshall Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Tamas Mate Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Tim Armstrong Gerrit-Comment-Date: Thu, 06 Aug 2020 00:52:17 + Gerrit-HasComments: Yes
[Impala-ASF-CR] IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/16252 ) Change subject: IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user .. Patch Set 3: Build Successful https://jenkins.impala.io/job/gerrit-code-review-checks/6799/ : Initial code review checks passed. Use gerrit-verify-dryrun-external or gerrit-verify-dryrun to run full precommit tests. -- To view, visit http://gerrit.cloudera.org:8080/16252 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I9ca8e1a0466288225efbe05b2d0068b8241df070 Gerrit-Change-Number: 16252 Gerrit-PatchSet: 3 Gerrit-Owner: Thomas Tauber-Marshall Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Tamas Mate Gerrit-Reviewer: Tim Armstrong Gerrit-Comment-Date: Wed, 05 Aug 2020 23:38:14 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user
Hello Tamas Mate, Tim Armstrong, Impala Public Jenkins, I'd like you to reexamine a change. Please visit http://gerrit.cloudera.org:8080/16252 to look at the new patch set (#3). Change subject: IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user .. IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user This patch fixes the integration between LDAP filters and proxy users by ensuring that the 'impala.doas.user' HS2 config option is considered when applying filters. This requires deferring checking the filters until the OpenSession() call. This patch also introduces new flags --ldap_bind_dn and --ldap_bind_password which must be specified in order to use LDAP filters, unless the LDAP server is set up to allow anonymous binds. These config options are modeled after equivalent options in Hue: https://github.com/cloudera/hue/blob/master/desktop/conf.dist/hue.ini#L425 Testing: - Added a test that uses the 'impala.doas.user' config with LDAP filters. Change-Id: I9ca8e1a0466288225efbe05b2d0068b8241df070 --- M be/src/rpc/authentication.cc M be/src/service/impala-hs2-server.cc M be/src/service/impala-server.cc M be/src/service/impala-server.h M be/src/util/ldap-util.cc M be/src/util/ldap-util.h M be/src/util/webserver.cc M fe/src/test/java/org/apache/impala/customcluster/LdapHS2Test.java M fe/src/test/java/org/apache/impala/customcluster/LdapImpalaShellTest.java M fe/src/test/java/org/apache/impala/customcluster/LdapWebserverTest.java M fe/src/test/java/org/apache/impala/testutil/LdapUtil.java 11 files changed, 227 insertions(+), 54 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/52/16252/3 -- To view, visit http://gerrit.cloudera.org:8080/16252 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: I9ca8e1a0466288225efbe05b2d0068b8241df070 Gerrit-Change-Number: 16252 Gerrit-PatchSet: 3 Gerrit-Owner: Thomas Tauber-Marshall Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Tamas Mate Gerrit-Reviewer: Tim Armstrong
[Impala-ASF-CR] IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user
Tim Armstrong has posted comments on this change. (
http://gerrit.cloudera.org:8080/16252 )
Change subject: IMPALA-9988 (part 2): Integrate ldap filters and
impala.doas.user
..
Patch Set 2:
(3 comments)
The implementation looks good, my questions are about the desired behaviour.
http://gerrit.cloudera.org:8080/#/c/16252/2//COMMIT_MSG
Commit Message:
http://gerrit.cloudera.org:8080/#/c/16252/2//COMMIT_MSG@7
PS2, Line 7: IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user
I was trying to understand the expected interaction between LDAP and Kerberos
here.
It seems like the filters are applied when delegating if LDAP and Kerberos are
both enabled regardless of how the client authenticated. I think this could
make sense, since Kerberos auth doesn't check group membership.
I was wondering if they should also be applied if the filters are configured
and only Kerberos auth is enabled. Or if we should explicitly document when the
LDAP filters don't apply
I think the same thing also applies to the initial Kerberos authentication -
should it be checking LDAP filters then too?
Some of this is outside the scope of this particular patch, but I wanted to
understand what end-point we should be aiming for.
http://gerrit.cloudera.org:8080/#/c/16252/2/be/src/util/ldap-util.cc
File be/src/util/ldap-util.cc:
http://gerrit.cloudera.org:8080/#/c/16252/2/be/src/util/ldap-util.cc@61
PS2, Line 61: DEFINE_string(ldap_bind_password, "", "Password for
--ldap_bind_dn");
For other password command line flags, we actually have a command that is run,
so that the password doesn't need to be present on the command line. Should we
replicate this pattern here?
ssl_private_key_password_cmd, webserver_private_key_password_cmd,
webserver_password_file
are what I was looking at
http://gerrit.cloudera.org:8080/#/c/16252/2/be/src/util/ldap-util.cc@228
PS2, Line 228: if (!success) {
nit: one line?
--
To view, visit http://gerrit.cloudera.org:8080/16252
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I9ca8e1a0466288225efbe05b2d0068b8241df070
Gerrit-Change-Number: 16252
Gerrit-PatchSet: 2
Gerrit-Owner: Thomas Tauber-Marshall
Gerrit-Reviewer: Impala Public Jenkins
Gerrit-Reviewer: Tamas Mate
Gerrit-Reviewer: Tim Armstrong
Gerrit-Comment-Date: Wed, 05 Aug 2020 18:09:35 +
Gerrit-HasComments: Yes
[Impala-ASF-CR] IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/16252 ) Change subject: IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user .. Patch Set 2: Verified+1 -- To view, visit http://gerrit.cloudera.org:8080/16252 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I9ca8e1a0466288225efbe05b2d0068b8241df070 Gerrit-Change-Number: 16252 Gerrit-PatchSet: 2 Gerrit-Owner: Thomas Tauber-Marshall Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Tamas Mate Gerrit-Reviewer: Tim Armstrong Gerrit-Comment-Date: Wed, 05 Aug 2020 03:32:13 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/16252 ) Change subject: IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user .. Patch Set 2: Build started: https://jenkins.impala.io/job/gerrit-verify-dryrun/6225/ DRY_RUN=false -- To view, visit http://gerrit.cloudera.org:8080/16252 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I9ca8e1a0466288225efbe05b2d0068b8241df070 Gerrit-Change-Number: 16252 Gerrit-PatchSet: 2 Gerrit-Owner: Thomas Tauber-Marshall Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Tim Armstrong Gerrit-Comment-Date: Tue, 04 Aug 2020 22:32:45 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/16252 ) Change subject: IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user .. Patch Set 2: Build Successful https://jenkins.impala.io/job/gerrit-code-review-checks/6790/ : Initial code review checks passed. Use gerrit-verify-dryrun-external or gerrit-verify-dryrun to run full precommit tests. -- To view, visit http://gerrit.cloudera.org:8080/16252 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I9ca8e1a0466288225efbe05b2d0068b8241df070 Gerrit-Change-Number: 16252 Gerrit-PatchSet: 2 Gerrit-Owner: Thomas Tauber-Marshall Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Tim Armstrong Gerrit-Comment-Date: Tue, 04 Aug 2020 21:51:17 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user
Hello Tim Armstrong, Impala Public Jenkins, I'd like you to reexamine a change. Please visit http://gerrit.cloudera.org:8080/16252 to look at the new patch set (#2). Change subject: IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user .. IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user This patch fixes the integration between LDAP filters and proxy users by ensuring that the 'impala.doas.user' HS2 config option is considered when applying filters. This requires deferring checking the filters until the OpenSession() call. This patch also introduces new flags --ldap_bind_dn and --ldap_bind_password which must be specified in order to use LDAP filters, unless the LDAP server is set up to allow anonymous binds. These config options are modeled after equivalent options in Hue: https://github.com/cloudera/hue/blob/master/desktop/conf.dist/hue.ini#L425 Testing: - Added a test that uses the 'impala.doas.user' config with LDAP filters. Change-Id: I9ca8e1a0466288225efbe05b2d0068b8241df070 --- M be/src/rpc/authentication.cc M be/src/service/impala-hs2-server.cc M be/src/service/impala-server.cc M be/src/service/impala-server.h M be/src/util/ldap-util.cc M be/src/util/ldap-util.h M be/src/util/webserver.cc M fe/src/test/java/org/apache/impala/customcluster/LdapHS2Test.java M fe/src/test/java/org/apache/impala/customcluster/LdapImpalaShellTest.java M fe/src/test/java/org/apache/impala/customcluster/LdapWebserverTest.java M fe/src/test/java/org/apache/impala/testutil/LdapUtil.java 11 files changed, 200 insertions(+), 54 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/52/16252/2 -- To view, visit http://gerrit.cloudera.org:8080/16252 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: I9ca8e1a0466288225efbe05b2d0068b8241df070 Gerrit-Change-Number: 16252 Gerrit-PatchSet: 2 Gerrit-Owner: Thomas Tauber-Marshall Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Tim Armstrong
[Impala-ASF-CR] IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/16252 ) Change subject: IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user .. Patch Set 1: Build Successful https://jenkins.impala.io/job/gerrit-code-review-checks/6730/ : Initial code review checks passed. Use gerrit-verify-dryrun-external or gerrit-verify-dryrun to run full precommit tests. -- To view, visit http://gerrit.cloudera.org:8080/16252 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I9ca8e1a0466288225efbe05b2d0068b8241df070 Gerrit-Change-Number: 16252 Gerrit-PatchSet: 1 Gerrit-Owner: Thomas Tauber-Marshall Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Tim Armstrong Gerrit-Comment-Date: Wed, 29 Jul 2020 19:35:54 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user
Thomas Tauber-Marshall has uploaded this change for review. ( http://gerrit.cloudera.org:8080/16252 Change subject: IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user .. IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user This patch fixes the integration between LDAP filters and proxy users by ensuring that the 'impala.doas.user' HS2 config option is considered when applying filters. This requires deferring checking the filters until the OpenSession() call. This patch also introduces new flags --ldap_bind_dn and --ldap_bind_password which must be specified in order to use LDAP filters, unless the LDAP server is set up to allow anonymous binds. These config options are modeled after equivalent options in Hue: https://github.com/cloudera/hue/blob/master/desktop/conf.dist/hue.ini#L425 Testing: - Added a test that uses the 'impala.doas.user' config with LDAP filters. Change-Id: I9ca8e1a0466288225efbe05b2d0068b8241df070 --- M be/src/rpc/authentication.cc M be/src/service/impala-hs2-server.cc M be/src/service/impala-server.cc M be/src/service/impala-server.h M be/src/util/ldap-util.cc M be/src/util/ldap-util.h M be/src/util/webserver.cc M fe/src/test/java/org/apache/impala/customcluster/LdapHS2Test.java M fe/src/test/java/org/apache/impala/customcluster/LdapImpalaShellTest.java M fe/src/test/java/org/apache/impala/customcluster/LdapWebserverTest.java M fe/src/test/java/org/apache/impala/testutil/LdapUtil.java 11 files changed, 200 insertions(+), 54 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/52/16252/1 -- To view, visit http://gerrit.cloudera.org:8080/16252 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newchange Gerrit-Change-Id: I9ca8e1a0466288225efbe05b2d0068b8241df070 Gerrit-Change-Number: 16252 Gerrit-PatchSet: 1 Gerrit-Owner: Thomas Tauber-Marshall
