[Impala-ASF-CR] IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user

Thu, 06 Aug 2020 15:40:27 -0700 

Hello Tamas Mate, Tim Armstrong, Impala Public Jenkins,

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/16252

to look at the new patch set (#4).

Change subject: IMPALA-9988 (part 2): Integrate ldap filters and 
impala.doas.user
......................................................................

IMPALA-9988 (part 2): Integrate ldap filters and impala.doas.user

This patch fixes the integration between LDAP filters and proxy
users by ensuring that the 'impala.doas.user' HS2 config option is
considered when applying filters. This requires deferring checking the
filters until the OpenSession() call.

This patch also introduces new flags --ldap_bind_dn and
--ldap_bind_password_cmd which must be specified in order to use LDAP
filters, unless the LDAP server is set up to allow anonymous binds.

It also uses some gflag utilities from Kudu to tag
--ldap_bind_password_cmd as sensitive and redact it on the webui and
in logging in order to increase security in case a user specifies it
as 'echo <password>'

These config options are modeled after equivalent options in Hue:
https://github.com/cloudera/hue/blob/master/desktop/conf.dist/hue.ini#L425

Testing:
- Added a test that uses the 'impala.doas.user' config with LDAP
  filters.

Change-Id: I9ca8e1a0466288225efbe05b2d0068b8241df070
---
M be/src/common/logging.cc
M be/src/rpc/authentication.cc
M be/src/service/impala-hs2-server.cc
M be/src/service/impala-server.cc
M be/src/service/impala-server.h
M be/src/util/default-path-handlers.cc
M be/src/util/ldap-util.cc
M be/src/util/ldap-util.h
M be/src/util/webserver.cc
M fe/src/test/java/org/apache/impala/customcluster/LdapHS2Test.java
M fe/src/test/java/org/apache/impala/customcluster/LdapImpalaShellTest.java
M fe/src/test/java/org/apache/impala/customcluster/LdapWebserverTest.java
M fe/src/test/java/org/apache/impala/testutil/LdapUtil.java
13 files changed, 235 insertions(+), 57 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/52/16252/4
--
To view, visit http://gerrit.cloudera.org:8080/16252
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I9ca8e1a0466288225efbe05b2d0068b8241df070
Gerrit-Change-Number: 16252
Gerrit-PatchSet: 4
Gerrit-Owner: Thomas Tauber-Marshall <tmarsh...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <impala-public-jenk...@cloudera.com>
Gerrit-Reviewer: Tamas Mate <tm...@cloudera.com>
Gerrit-Reviewer: Thomas Tauber-Marshall <tmarsh...@cloudera.com>
Gerrit-Reviewer: Tim Armstrong <tarmstr...@cloudera.com>

Reply via email to