Todd Lipcon has posted comments on this change. Change subject: Workaround test failures running with MIT krb5 1.10 ......................................................................
Patch Set 5: > Why? I would expect that credential passing between the embedder and the > client will be done explicitly (via client API calls) and abstractly enough > that the fact that the client uses MIT krb5 is just an implementation detail. > Is that not going to be the case? I'm not a fan of dependencies dictating our > client APIs, to the point where we've even discussed a C API to elide STL > dependencies. That's not the typical usage pattern for Kerberos. Clients are expected to pick up credentials from the environment -- eg a user can use Kerberos APIs or environment variables to set the ticket cache location for the process, and underlying libraries are expected to read credentials from that ticket cache. In other words, you can just 'kinit' and then any program that uses Kudu can see those credentials. If we use a different version of Kerberos compared to what's on the system, then there's little to no guarantee that when the user logs in via kinit that we can pick up the credentials from their ticket cache as configured by their environment. This is especially the case if the system kerberos is newer than the library's static-linked Kerberos: as a specific example, back in 2010 or so we had an issue where the kinit on RHEL6 would produce a ticket cache that Java 6's Kerberos implementation couldn't read (https://www.cloudera.com/documentation/enterprise/5-7-x/topics/cm_sg_sec_troubleshooting.html#topic_17_1_1). In the case that the library's Kerberos is newer than the system Kerberos, I think you could still get this sort of compatibility problem in reverse. -- To view, visit http://gerrit.cloudera.org:8080/4990 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: I708334cbbee35d2629a38a369e63c1dc309ed91b Gerrit-PatchSet: 5 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Todd Lipcon <t...@apache.org> Gerrit-Reviewer: Adar Dembo <a...@cloudera.com> Gerrit-Reviewer: Alexey Serbin <aser...@cloudera.com> Gerrit-Reviewer: Dan Burkert <danburk...@apache.org> Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Tidy Bot Gerrit-Reviewer: Todd Lipcon <t...@apache.org> Gerrit-HasComments: No