kudu-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From a...@apache.org
Subject [1/2] kudu git commit: KUDU-2198. Allow disregarding system-wide auth-to-local mapping
Date Wed, 25 Oct 2017 18:49:10 GMT
Repository: kudu
Updated Branches:
  refs/heads/master 28a671365 -> 15f3f9b2f


KUDU-2198. Allow disregarding system-wide auth-to-local mapping

This adds a workaround for an issue reported on the user mailing list.
Some systems are configured such that the auth_to_local mapping provided
by the krb5 library doesn't work properly for service accounts.

This patch adds a new configuration which allows Kudu to disregard the
system auth_to_local rules and instead just map kerberos principals to
their first component, which is typically the username.

Change-Id: I2e893493f52965ea54d2ceaac83d375285b49486
Reviewed-on: http://gerrit.cloudera.org:8080/8373
Reviewed-by: Alexey Serbin <aserbin@cloudera.com>
Reviewed-by: Dan Burkert <danburkert@apache.org>
Tested-by: Kudu Jenkins


Project: http://git-wip-us.apache.org/repos/asf/kudu/repo
Commit: http://git-wip-us.apache.org/repos/asf/kudu/commit/dfaaf9ad
Tree: http://git-wip-us.apache.org/repos/asf/kudu/tree/dfaaf9ad
Diff: http://git-wip-us.apache.org/repos/asf/kudu/diff/dfaaf9ad

Branch: refs/heads/master
Commit: dfaaf9ade5721550d95b4da861fd24faeca5b6ec
Parents: 28a6713
Author: Todd Lipcon <todd@apache.org>
Authored: Tue Oct 24 12:44:23 2017 -0700
Committer: Todd Lipcon <todd@apache.org>
Committed: Tue Oct 24 20:44:24 2017 +0000

----------------------------------------------------------------------
 src/kudu/security/init.cc | 35 ++++++++++++++++++++++++-----------
 1 file changed, 24 insertions(+), 11 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/kudu/blob/dfaaf9ad/src/kudu/security/init.cc
----------------------------------------------------------------------
diff --git a/src/kudu/security/init.cc b/src/kudu/security/init.cc
index 58dd48d..47c2c42 100644
--- a/src/kudu/security/init.cc
+++ b/src/kudu/security/init.cc
@@ -71,6 +71,22 @@ DEFINE_bool(allow_world_readable_credentials, false,
             "world-readable permissions.");
 TAG_FLAG(allow_world_readable_credentials, unsafe);
 
+#ifndef __APPLE__
+static constexpr bool kDefaultSystemAuthToLocal = true;
+#else
+// macOS's Heimdal library has a no-op implementation of
+// krb5_aname_to_localname, so instead we just use the simple
+// implementation.
+static constexpr bool kDefaultSystemAuthToLocal = false;
+#endif
+DEFINE_bool(use_system_auth_to_local, kDefaultSystemAuthToLocal,
+            "When enabled, use the system krb5 library to map Kerberos principal "
+            "names to local (short) usernames. If not enabled, the first component "
+            "of the principal will be used as the short name. For example, "
+            "'kudu/foo.example.com@EXAMPLE' will map to 'kudu'.");
+TAG_FLAG(use_system_auth_to_local, advanced);
+
+
 using std::mt19937;
 using std::random_device;
 using std::string;
@@ -414,18 +430,15 @@ Status MapPrincipalToLocalName(const std::string& principal, std::string*
local_
       krb5_free_principal(g_krb5_ctx, princ);
     });
   char buf[1024];
-  krb5_error_code rc;
-#ifndef __APPLE__
-  rc = krb5_aname_to_localname(g_krb5_ctx, princ, arraysize(buf), buf);
-#else
-  // macOS's Heimdal library has a no-op implementation of
-  // krb5_aname_to_localname, so instead we fall down to below and grab the
-  // first component of the principal.
-  rc = KRB5_LNAME_NOTRANS;
-#endif
+  krb5_error_code rc = KRB5_LNAME_NOTRANS;
+  if (FLAGS_use_system_auth_to_local) {
+    rc = krb5_aname_to_localname(g_krb5_ctx, princ, arraysize(buf), buf);
+  }
   if (rc == KRB5_LNAME_NOTRANS || rc == KRB5_PLUGIN_NO_HANDLE) {
-    // No name mapping specified. We fall back to simply taking the first component
-    // of the principal, for compatibility with the default behavior of Hadoop.
+    // No name mapping specified, or krb5-based name mapping is disabled.
+    //
+    // We fall back to simply taking the first component of the principal, for
+    // compatibility with the default behavior of Hadoop.
     //
     // NOTE: KRB5_PLUGIN_NO_HANDLE isn't typically expected here, but works around
     // a bug in SSSD's auth_to_local implementation: https://pagure.io/SSSD/sssd/issue/3459


Mime
View raw message