kudu-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From t...@apache.org
Subject [1/4] kudu git commit: KUDU-2087. Fix failure to map Kerberos principal to username with FreeIPA
Date Tue, 01 Aug 2017 21:10:47 GMT
Repository: kudu
Updated Branches:
  refs/heads/master 57a1962aa -> de43ffe77


KUDU-2087. Fix failure to map Kerberos principal to username with FreeIPA

FreeIPA is a piece of software that automates and simplifies management
of MIT krb5, SSSD, some LDAP service, etc. FreeIPA configures a
localauth plugin[1] in krb5.conf to map Kerberos principals to local
usernames. In this configuration, Kudu daemons were failing to start up
due to failure to map their own service principals back to a username.
This is due to a number of issues:

1) FreeIPA distinguishes between service principals and user principals
and doesn't store a 'uid' field in LDAP for service principals. Thus,
when 'sssd' tries to map a service principal to a local unix user, it
determines that there is no such user (ie getpwnam() fails). This is by
design, best I can tell.

2) sssd's implementation of krb5_auth_to_localname[1] uses getpwnam to try
to map the kerberos principal to the local username. Because of the
above, it fails for service principals.

3) Prior to el7.3, ssd configures krb5 with 'enable_only = sssd' in the
localauth plugin section. This means that if sssd fails to perform the
mapping, it does not fall back to other mappings defined in krb5.conf
(eg explicitly defined auth_to_local rules). See [2]

4) Even after 7.3, there is an additional bug in sssd which I just
filed[3], which causes the fallback to still not work. Because of this,
we're getting the KRB5_PLUGIN_NO_HANDLE error code back up at the Kudu
layer.

We already have our own fallback case for KRB5_LNAME_NO_TRANS, and it
seems like we should just be handling PLUGIN_NO_HANDLE in the same way
to workaround the above behavior.

I tested this patch on a FreeIPA-configured system on el6.7. I was able
to successfully start a master with a FreeIPA-provided keytab and
authentication required, and use 'kudu table list' to authenticate to
it.

[1] https://github.com/SSSD/sssd/blob/master/src/krb5_plugin/sssd_krb5_localauth_plugin.c
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1297462
[3] https://pagure.io/SSSD/sssd/issue/3459

Change-Id: I7bc13b33053a73784350c9d30a3796a96d318c04
Reviewed-on: http://gerrit.cloudera.org:8080/7551
Tested-by: Kudu Jenkins
Reviewed-by: Alexey Serbin <aserbin@cloudera.com>


Project: http://git-wip-us.apache.org/repos/asf/kudu/repo
Commit: http://git-wip-us.apache.org/repos/asf/kudu/commit/ed827e0f
Tree: http://git-wip-us.apache.org/repos/asf/kudu/tree/ed827e0f
Diff: http://git-wip-us.apache.org/repos/asf/kudu/diff/ed827e0f

Branch: refs/heads/master
Commit: ed827e0f0c23f154c06c43b4d43219cdd321e221
Parents: 57a1962
Author: Todd Lipcon <todd@apache.org>
Authored: Mon Jul 31 18:58:26 2017 -0700
Committer: Todd Lipcon <todd@apache.org>
Committed: Tue Aug 1 20:54:57 2017 +0000

----------------------------------------------------------------------
 src/kudu/security/init.cc | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/kudu/blob/ed827e0f/src/kudu/security/init.cc
----------------------------------------------------------------------
diff --git a/src/kudu/security/init.cc b/src/kudu/security/init.cc
index cb1569c..25e229f 100644
--- a/src/kudu/security/init.cc
+++ b/src/kudu/security/init.cc
@@ -435,9 +435,13 @@ Status MapPrincipalToLocalName(const std::string& principal, std::string*
local_
   // first component of the principal.
   rc = KRB5_LNAME_NOTRANS;
 #endif
-  if (rc == KRB5_LNAME_NOTRANS) {
+  if (rc == KRB5_LNAME_NOTRANS || rc == KRB5_PLUGIN_NO_HANDLE) {
     // No name mapping specified. We fall back to simply taking the first component
     // of the principal, for compatibility with the default behavior of Hadoop.
+    //
+    // NOTE: KRB5_PLUGIN_NO_HANDLE isn't typically expected here, but works around
+    // a bug in SSSD's auth_to_local implementation: https://pagure.io/SSSD/sssd/issue/3459
+    //
     // TODO(todd): we should support custom configured auth-to-local mapping, since
     // most Hadoop ecosystem components do not load them from krb5.conf.
     if (princ->length > 0) {


Mime
View raw message