[jira] [Commented] (IMPALA-4978) Impala should set the kerberos principal to the FQDN

Thu, 09 Aug 2018 17:43:36 -0700 


    [ 
https://issues.apache.org/jira/browse/IMPALA-4978?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16575612#comment-16575612
 ] 

Sailesh Mukil commented on IMPALA-4978:
---------------------------------------

https://github.com/apache/impala/blob/3e17705ecaba0b6ab9ae929e6c7c409e0b6aea1d/be/src/rpc/authentication.cc#L787-L788

We already do this now since we get the principal from the Kudu security code, 
which already tries to get the FQDN. We should do the same here however:
https://github.com/apache/impala/blob/3e17705ecaba0b6ab9ae929e6c7c409e0b6aea1d/be/src/rpc/authentication.cc#L814

And also make sure that our process wide hostname flag (FLAGS_hostname) has the 
same value:
https://github.com/apache/impala/blob/7f9a74ffcaf1818f1f3c9d427557acca21a627da/be/src/common/init.cc#L191

> Impala should set the kerberos principal to the FQDN
> ----------------------------------------------------
>
>                 Key: IMPALA-4978
>                 URL: https://issues.apache.org/jira/browse/IMPALA-4978
>             Project: IMPALA
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: Impala 2.3.0
>            Reporter: Sailesh Mukil
>            Assignee: Sailesh Mukil
>            Priority: Major
>              Labels: security
>
> Impala calls gethostname() to get the local system's name which is used as a 
> part of the kerberos principal. This usually works fine under most settings, 
> however, this is not guaranteed to return the FQDN of the host under certain 
> settings (Eg: possibly while using a DNS GSLB).
> Impala should attempt to get the FQDN first which can be obtained by using 
> getaddrinfo(), and fallback to gethostname() otherwise. This is the behavior 
> of Hadoop, which we should try to match as closely as possible:
> https://github.com/apache/hadoop/blob/master/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SecurityUtil.java#L169



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org

Reply via email to