impala-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sailesh Mukil (Code Review)" <ger...@cloudera.org>
Subject [Impala-CR](cdh5-2.5.0_5.7.0) IMPALA-3095: Add configurable whitelist of authorized internal principals
Date Sat, 27 Feb 2016 17:28:47 GMT
Sailesh Mukil has posted comments on this change.

Change subject: IMPALA-3095: Add configurable whitelist of authorized internal principals
......................................................................


Patch Set 2:

(2 comments)

http://gerrit.cloudera.org:8080/#/c/2334/2/be/src/rpc/authentication.cc
File be/src/rpc/authentication.cc:

Line 97: C
nit: formatting, space


Line 414: split(whitelist, FLAGS_internal_principals_whitelist, is_any_of(","));
Since we default to hdfs, we always would get 'hdfs' here. But if the default was an empty
string, the 'whitelist' vector would have an empty string entry. Then the requested user can
make his name of the form "/host@realm" (where the service part is empty) and get authenticated
even though that user is not a part of the whitelist.

This can also happen if the customer by mistake adds a trailing or leading comma to the whitelist.
We should either be extra careful and weed out empty strings here, or we should document it
well that 'extra' commas are dangerous. Which do you think is better?


-- 
To view, visit http://gerrit.cloudera.org:8080/2334
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: If828e86c99c3c398319953b1d3b33d5e3af200da
Gerrit-PatchSet: 2
Gerrit-Project: Impala
Gerrit-Branch: cdh5-2.5.0_5.7.0
Gerrit-Owner: Henry Robinson <henry@cloudera.com>
Gerrit-Reviewer: Henry Robinson <henry@cloudera.com>
Gerrit-Reviewer: Sailesh Mukil <sailesh@cloudera.com>
Gerrit-HasComments: Yes

Mime
View raw message