kudu-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ale...@apache.org
Subject [1/5] kudu git commit: Allow configuration of values passed into kerberos env vars
Date Tue, 17 Oct 2017 15:23:18 GMT
Repository: kudu
Updated Branches:
  refs/heads/master f5e1203a3 -> fe23710c6


Allow configuration of values passed into kerberos env vars

We always used hardcoded constants for the following kerberos
environment variables:

KRB5CCNAME and KRB5RCACHETYPE.

This patch allows for the configuration of these variables by taking
arguments to InitKerberosForServer().

Callsites within Kudu have not been changed as all the parameters have
default values.

The motivation for this patch is that, Impala as a user of the
KuduRPC and Kudu security libraries, needs to have a file based
credential cache since the kinit happens on the C++ side and this cache
needs to be read by the Java side too. Hence, we cannot have it in memory.
Also, Impala still requires replay protection, since some Impala services
use Thrift which lacks the nonce mechanism that KRPC uses for replay
protection.

Change-Id: Iab4ce72c04ec4056dc89fb4c1c540a6fdaca4404
Reviewed-on: http://gerrit.cloudera.org:8080/8247
Reviewed-by: Todd Lipcon <todd@apache.org>
Tested-by: Todd Lipcon <todd@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/kudu/repo
Commit: http://git-wip-us.apache.org/repos/asf/kudu/commit/c18815f1
Tree: http://git-wip-us.apache.org/repos/asf/kudu/tree/c18815f1
Diff: http://git-wip-us.apache.org/repos/asf/kudu/diff/c18815f1

Branch: refs/heads/master
Commit: c18815f1edd3fc23abc874ffe9fe564c3114fc8e
Parents: f5e1203
Author: Sailesh Mukil <sailesh@apache.org>
Authored: Mon Oct 9 23:20:39 2017 -0700
Committer: Todd Lipcon <todd@apache.org>
Committed: Tue Oct 17 04:21:34 2017 +0000

----------------------------------------------------------------------
 src/kudu/security/init.cc | 20 +++++++++-----------
 src/kudu/security/init.h  | 11 ++++++++++-
 2 files changed, 19 insertions(+), 12 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/kudu/blob/c18815f1/src/kudu/security/init.cc
----------------------------------------------------------------------
diff --git a/src/kudu/security/init.cc b/src/kudu/security/init.cc
index ded848b..58dd48d 100644
--- a/src/kudu/security/init.cc
+++ b/src/kudu/security/init.cc
@@ -459,21 +459,19 @@ boost::optional<string> GetLoggedInUsernameFromKeytab() {
   return g_kinit_ctx->username_str();
 }
 
-Status InitKerberosForServer() {
+Status InitKerberosForServer(const std::string& krb5ccname, bool disable_krb5_replay_cache)
{
   if (FLAGS_keytab_file.empty()) return Status::OK();
 
-  // Have the daemons use an in-memory ticket cache, so they don't accidentally
-  // pick up credentials from test cases or any other daemon.
-  // TODO(todd): extract these krb5 env vars into some constants since they're
-  // typo-prone.
-  setenv("KRB5CCNAME", "MEMORY:kudu", 1);
+  setenv("KRB5CCNAME", krb5ccname.c_str(), 1);
   setenv("KRB5_KTNAME", FLAGS_keytab_file.c_str(), 1);
 
-  // KUDU-1897: disable the Kerberos replay cache. The KRPC protocol includes a
-  // per-connection server-generated nonce to protect against replay attacks
-  // when authenticating via Kerberos. The replay cache has many performance and
-  // implementation issues.
-  setenv("KRB5RCACHETYPE", "none", 1);
+  if (disable_krb5_replay_cache) {
+    // KUDU-1897: disable the Kerberos replay cache. The KRPC protocol includes a
+    // per-connection server-generated nonce to protect against replay attacks
+    // when authenticating via Kerberos. The replay cache has many performance and
+    // implementation issues.
+    setenv("KRB5RCACHETYPE", "none", 1);
+  }
 
   g_kinit_ctx = new KinitContext();
   string principal;

http://git-wip-us.apache.org/repos/asf/kudu/blob/c18815f1/src/kudu/security/init.h
----------------------------------------------------------------------
diff --git a/src/kudu/security/init.h b/src/kudu/security/init.h
index 913585f..0832256 100644
--- a/src/kudu/security/init.h
+++ b/src/kudu/security/init.h
@@ -30,9 +30,18 @@ class Status;
 
 namespace security {
 
+// The default kerberos credential cache name.
+// Have the daemons use an in-memory ticket cache, so they don't accidentally
+// pick up credentials from test cases or any other daemon.
+static const std::string kKrb5CCName = "MEMORY:kudu";
+
 // Initializes Kerberos for a server. In particular, this processes
 // the '--keytab_file' command line flag.
-Status InitKerberosForServer();
+// 'krb5ccname' is passed into the KRB5CCNAME env var.
+// 'disable_krb5_replay_cache' if set to true, disables the kerberos replay cache by setting
+// the KRB5RCACHETYPE env var to "none".
+Status InitKerberosForServer(const std::string& krb5ccname = kKrb5CCName,
+                             bool disable_krb5_replay_cache = true);
 
 // Returns the process lock 'kerberos_reinit_lock'
 // This lock is taken in write mode while the ticket is being reacquired, and


Mime
View raw message