[ https://issues.apache.org/jira/browse/IMPALA-12403?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17765482#comment-17765482 ]
Norbert Luksa commented on IMPALA-12403: ---------------------------------------- Change is merged: https://gerrit.cloudera.org/#/c/20421/ > Kerberos authentication fails when connecting with a proxy user that passes > LDAP user and group filters but does not delegate another user > ------------------------------------------------------------------------------------------------------------------------------------------ > > Key: IMPALA-12403 > URL: https://issues.apache.org/jira/browse/IMPALA-12403 > Project: IMPALA > Issue Type: Bug > Components: be > Reporter: Gergely Farkas > Assignee: Gergely Farkas > Priority: Major > > When connecting with a proxy user without _doAs_ request parameter or > _impala.doas.user_ connection config then the filters are executed with the > authenticated user itself, however, in case of Kerberos auth, the > authenticated user is a Kerberos user principal which will definitely not > pass the LDAP checks, because LDAP filters here need to be checked with a > short username (that needs to be extracted from the Kerberos user principal). > During the Kerberos authentication process, the short username is checked ( > see > [https://github.com/apache/impala/blob/master/be/src/rpc/authentication.cc#L757-L764]), > , the only point where it doesn't work like that is this: > [https://github.com/apache/impala/blob/master/be/src/service/impala-hs2-server.cc#L394-L403] > [https://github.com/apache/impala/blob/master/be/src/util/auth-util.cc#L43-L52] > -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org For additional commands, e-mail: issues-all-h...@impala.apache.org