Hello Csaba Ringhofer, Impala Public Jenkins, I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/19561 to look at the new patch set (#6). Change subject: IMPALA-11726: Allow LDAP user and group filter when Kerberos is enabled ...................................................................... IMPALA-11726: Allow LDAP user and group filter when Kerberos is enabled This change does two things for the Kerberos authentication support for impala clients: 1) Introduces allow_custom_ldap_filters_with_kerberos_auth flag, which removes the restriction that prevents to use LDAP group/user search filters when Kerberos authentication is enabled. When the flag is set both Kerberos and LDAP can work with impala clients (impala-shell, jdbc, odbc, impyla) even if the group/user filters are defined. The flag default value is false, which ensures backwards compatibility. 2) Introduces enable_group_filter_check_for_authenticated_kerberos_user flag, which allows group filters to be applied for non-proxy users that belong to the authenticated Kerberos principals. The verified username comes from the Kerberos principal: The username is the first member of the authenticated Kerberos principal, where the principal can be username/host@realm or username@realm. Regardless of whether the flag is enabled or not, LDAP filters are not applied for authorized proxy users (neither when using LDAP nor when using Kerberos authentication). In case of delegation, filters are applied for delegated users. This flag makes sense if Kerberos and LDAP authentication is enabled and the users in the KDC and LDAP are synchronized (e.g. Active Directory provides both LDAP and Kerberos authentication). The flag default value is false, which ensures backwards compatibility. Notes: If the allow_custom_ldap_filters_with_kerberos_auth flag is disabled, it is still possible to use LDAP and Kerberos authentication together, but in a limited way: Only LDAP search bind authentication mode can be used, where there are default user and group search filters (that are defined for Active Directory LDAP schema). One major limitation here - apart from the AD directory schema assumed in the default filters - is that the only possibility to control user access is to select the appropriate user and group search base dn (e.g. granting LDAP access to users/groups defined in a given subtree) Even in this edge case, it is still allowed to enable the enable_group_filter_check_for_authenticated_kerberos_user flag. If this happens, then the default filters in LDAP search bind will be applied for Kerberos authenticated non-proxy users. Another edge case where the LDAP authentication is enabled, the user access is controlled by custom LDAP filters (LDAP auth only), and the external Kerberos authentication is also enabled, but the users in KDC and LDAP are not in sync: In this case the allow_custom_ldap_filters_with_kerberos_auth flag must be set, but enable_group_filter_check_for_authenticated_kerberos_user flag should be disabled, otherwise an unauthorized response may be received during Kerberos authentication (depending on whether the authenticated Kerberos user passes the custom LDAP filters or not). In such cases, access to Kerberos users must be controlled by other ways (e.g. within FreeIPA KDC with host-based access control rules). Tests: - New unit test created to check the behavior of AuthManager with and without allow_custom_ldap_filters_with_kerberos_auth flag. - New custom cluster tests created: - impala-shell tests that validate existing LDAP search bind and simple bind functionality with Kerberos authentication enabled (LdapSearchBindImpalaShellTest and LdapSimpleBindImpalaShellTest suites are now parameterized), - impala-shell tests that validate backwards compatibility when allow_custom_ldap_filters_with_kerberos_auth flag and enable_group_filter_check_for_authenticated_kerberos_user flags are disabled (LdapSearchBindDefaultFiltersKerberosImpalaShellTest) - various impala-shell tests that validate Kerberos authentication in an environment where LDAP authentication is also enabled (LdapKerberosImpalaShellTest) - Manual tests with a snapshot build in CDP PVC DS with LDAP and Kerberos authentication enabled, user and group filters provided. Change-Id: If3ca9c4ff8a17167e5233afabdd14c948edb46de --- M be/src/rpc/authentication-test.cc M be/src/rpc/authentication.cc M be/src/util/ldap-util.cc M bin/rat_exclude_files.txt A fe/src/test/java/org/apache/impala/customcluster/KerberosKdcEnvironment.java M fe/src/test/java/org/apache/impala/customcluster/LdapImpalaShellTest.java A fe/src/test/java/org/apache/impala/customcluster/LdapKerberosImpalaShellTest.java A fe/src/test/java/org/apache/impala/customcluster/LdapKerberosImpalaShellTestBase.java A fe/src/test/java/org/apache/impala/customcluster/LdapSearchBindDefaultFiltersKerberosImpalaShellTest.java M fe/src/test/java/org/apache/impala/customcluster/LdapSearchBindImpalaShellTest.java M fe/src/test/java/org/apache/impala/customcluster/LdapSimpleBindImpalaShellTest.java M fe/src/test/java/org/apache/impala/customcluster/RunShellCommand.java A fe/src/test/resources/adschema.ldif A fe/src/test/resources/adusers.ldif 14 files changed, 1,582 insertions(+), 31 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/61/19561/6 -- To view, visit http://gerrit.cloudera.org:8080/19561 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: If3ca9c4ff8a17167e5233afabdd14c948edb46de Gerrit-Change-Number: 19561 Gerrit-PatchSet: 6 Gerrit-Owner: Gergely Farkas <gfar...@cloudera.com> Gerrit-Reviewer: Csaba Ringhofer <csringho...@cloudera.com> Gerrit-Reviewer: Gergely Farkas <gfar...@cloudera.com> Gerrit-Reviewer: Impala Public Jenkins <impala-public-jenk...@cloudera.com>