Adar Dembo has posted comments on this change. ( http://gerrit.cloudera.org:8080/15601 )
Change subject: KUDU-3081 Add Kerberos support to MiniRanger ...................................................................... Patch Set 6: (2 comments) http://gerrit.cloudera.org:8080/#/c/15601/4/src/kudu/ranger/mini_ranger.cc File src/kudu/ranger/mini_ranger.cc: http://gerrit.cloudera.org:8080/#/c/15601/4/src/kudu/ranger/mini_ranger.cc@206 PS4, Line 206: string krb5_config = getenv("KRB5_CONFIG"); > Isn't it important for the KRB5_CONFIG used by MiniRanger to be the one fr +1 to what Andrew said, and yeah, I do feel strongly about this (provided it's not an impossible task). I already find it difficult to understand how the various Kerberos-related environment variables affect the Kudu C++ security code; I'd rather we avoid adding more complexity there. http://gerrit.cloudera.org:8080/#/c/15601/4/src/kudu/ranger/ranger_client.cc File src/kudu/ranger/ranger_client.cc: http://gerrit.cloudera.org:8080/#/c/15601/4/src/kudu/ranger/ranger_client.cc@195 PS4, Line 195: string krb5_config = getenv("KRB5_CONFIG"); > Alternatively, we can expose a flag that, if set, will be used (e.g. in an The problem is that it's much tougher to track and understand the behavior of an env var "switch" vs. an explicit one. Can we model this as we did kudu::thrift::ClientOptions::enable_kerberos? 1. The "library" code (RangerClient, in this case) provides an explicit setter or options struct to enable Kerberos. This setter/option must include all the information needed (i.e. if it needs a path to a krb5.conf file, then it expects a string containing that path). 2. The EMC code uses this setter/options struct accordingly using information from the MiniKdc. 3. Production code sets the setter/options using the value of a gflag. Or, in the case of path to krb5.conf, maybe even hardcodes it to /etc/krb5.conf, as I believe that's what the C++ security code always uses. -- To view, visit http://gerrit.cloudera.org:8080/15601 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I32118780ad912791fe5e371004345428b6459549 Gerrit-Change-Number: 15601 Gerrit-PatchSet: 6 Gerrit-Owner: Attila Bukor <abu...@apache.org> Gerrit-Reviewer: Adar Dembo <a...@cloudera.com> Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com> Gerrit-Reviewer: Attila Bukor <abu...@apache.org> Gerrit-Reviewer: Grant Henke <granthe...@apache.org> Gerrit-Reviewer: Hao Hao <hao....@cloudera.com> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Reviewer: Tidy Bot (241) Gerrit-Comment-Date: Tue, 31 Mar 2020 22:55:44 +0000 Gerrit-HasComments: Yes
