[
https://issues.apache.org/jira/browse/IMPALA-12403?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Norbert Luksa resolved IMPALA-12403.
------------------------------------
Resolution: Fixed
> Kerberos authentication fails when connecting with a proxy user that passes
> LDAP user and group filters but does not delegate another user
> ------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: IMPALA-12403
> URL: https://issues.apache.org/jira/browse/IMPALA-12403
> Project: IMPALA
> Issue Type: Bug
> Components: be
> Reporter: Gergely Farkas
> Assignee: Gergely Farkas
> Priority: Major
>
> When connecting with a proxy user without _doAs_ request parameter or
> _impala.doas.user_ connection config then the filters are executed with the
> authenticated user itself, however, in case of Kerberos auth, the
> authenticated user is a Kerberos user principal which will definitely not
> pass the LDAP checks, because LDAP filters here need to be checked with a
> short username (that needs to be extracted from the Kerberos user principal).
> During the Kerberos authentication process, the short username is checked (
> see
> [https://github.com/apache/impala/blob/master/be/src/rpc/authentication.cc#L757-L764]),
> , the only point where it doesn't work like that is this:
> [https://github.com/apache/impala/blob/master/be/src/service/impala-hs2-server.cc#L394-L403]
> [https://github.com/apache/impala/blob/master/be/src/util/auth-util.cc#L43-L52]
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org
