[kudu-CR] KUDU-2198. Allow disregarding system-wide auth-to-local mapping
Todd Lipcon has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/8373 ) Change subject: KUDU-2198. Allow disregarding system-wide auth-to-local mapping .. KUDU-2198. Allow disregarding system-wide auth-to-local mapping This adds a workaround for an issue reported on the user mailing list. Some systems are configured such that the auth_to_local mapping provided by the krb5 library doesn't work properly for service accounts. This patch adds a new configuration which allows Kudu to disregard the system auth_to_local rules and instead just map kerberos principals to their first component, which is typically the username. Change-Id: I2e893493f52965ea54d2ceaac83d375285b49486 Reviewed-on: http://gerrit.cloudera.org:8080/8373 Reviewed-by: Alexey SerbinReviewed-by: Dan Burkert Tested-by: Kudu Jenkins --- M src/kudu/security/init.cc 1 file changed, 24 insertions(+), 11 deletions(-) Approvals: Alexey Serbin: Looks good to me, approved Dan Burkert: Looks good to me, approved Kudu Jenkins: Verified -- To view, visit http://gerrit.cloudera.org:8080/8373 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: I2e893493f52965ea54d2ceaac83d375285b49486 Gerrit-Change-Number: 8373 Gerrit-PatchSet: 3 Gerrit-Owner: Todd Lipcon Gerrit-Reviewer: Alexey Serbin Gerrit-Reviewer: Dan Burkert Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Todd Lipcon
[kudu-CR] KUDU-2198. Allow disregarding system-wide auth-to-local mapping
Dan Burkert has posted comments on this change. ( http://gerrit.cloudera.org:8080/8373 ) Change subject: KUDU-2198. Allow disregarding system-wide auth-to-local mapping .. Patch Set 2: Code-Review+2 -- To view, visit http://gerrit.cloudera.org:8080/8373 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I2e893493f52965ea54d2ceaac83d375285b49486 Gerrit-Change-Number: 8373 Gerrit-PatchSet: 2 Gerrit-Owner: Todd LipconGerrit-Reviewer: Alexey Serbin Gerrit-Reviewer: Dan Burkert Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Todd Lipcon Gerrit-Comment-Date: Tue, 24 Oct 2017 20:21:19 + Gerrit-HasComments: No
[kudu-CR] KUDU-2198. Allow disregarding system-wide auth-to-local mapping
Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/8373 ) Change subject: KUDU-2198. Allow disregarding system-wide auth-to-local mapping .. Patch Set 2: Code-Review+2 -- To view, visit http://gerrit.cloudera.org:8080/8373 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I2e893493f52965ea54d2ceaac83d375285b49486 Gerrit-Change-Number: 8373 Gerrit-PatchSet: 2 Gerrit-Owner: Todd LipconGerrit-Reviewer: Alexey Serbin Gerrit-Reviewer: Dan Burkert Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Todd Lipcon Gerrit-Comment-Date: Tue, 24 Oct 2017 20:18:10 + Gerrit-HasComments: No
[kudu-CR] KUDU-2198. Allow disregarding system-wide auth-to-local mapping
Hello Alexey Serbin, Dan Burkert, Kudu Jenkins, I'd like you to reexamine a change. Please visit http://gerrit.cloudera.org:8080/8373 to look at the new patch set (#2). Change subject: KUDU-2198. Allow disregarding system-wide auth-to-local mapping .. KUDU-2198. Allow disregarding system-wide auth-to-local mapping This adds a workaround for an issue reported on the user mailing list. Some systems are configured such that the auth_to_local mapping provided by the krb5 library doesn't work properly for service accounts. This patch adds a new configuration which allows Kudu to disregard the system auth_to_local rules and instead just map kerberos principals to their first component, which is typically the username. Change-Id: I2e893493f52965ea54d2ceaac83d375285b49486 --- M src/kudu/security/init.cc 1 file changed, 24 insertions(+), 11 deletions(-) git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/73/8373/2 -- To view, visit http://gerrit.cloudera.org:8080/8373 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: I2e893493f52965ea54d2ceaac83d375285b49486 Gerrit-Change-Number: 8373 Gerrit-PatchSet: 2 Gerrit-Owner: Todd LipconGerrit-Reviewer: Alexey Serbin Gerrit-Reviewer: Dan Burkert Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Todd Lipcon
[kudu-CR] KUDU-2198. Allow disregarding system-wide auth-to-local mapping
Todd Lipcon has posted comments on this change. ( http://gerrit.cloudera.org:8080/8373 ) Change subject: KUDU-2198. Allow disregarding system-wide auth-to-local mapping .. Patch Set 1: (2 comments) http://gerrit.cloudera.org:8080/#/c/8373/1/src/kudu/security/init.cc File src/kudu/security/init.cc: http://gerrit.cloudera.org:8080/#/c/8373/1/src/kudu/security/init.cc@75 PS1, Line 75: #define DEFAULT_SYSTEM_AUTH_TO_LOCAL true > consider using a constant here, e.g. https://github.com/apache/kudu/blob/ma Done http://gerrit.cloudera.org:8080/#/c/8373/1/src/kudu/security/init.cc@84 PS1, Line 84: componnt > component Done -- To view, visit http://gerrit.cloudera.org:8080/8373 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I2e893493f52965ea54d2ceaac83d375285b49486 Gerrit-Change-Number: 8373 Gerrit-PatchSet: 1 Gerrit-Owner: Todd LipconGerrit-Reviewer: Alexey Serbin Gerrit-Reviewer: Dan Burkert Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Todd Lipcon Gerrit-Comment-Date: Tue, 24 Oct 2017 20:06:11 + Gerrit-HasComments: Yes
[kudu-CR] KUDU-2198. Allow disregarding system-wide auth-to-local mapping
Dan Burkert has posted comments on this change. ( http://gerrit.cloudera.org:8080/8373 ) Change subject: KUDU-2198. Allow disregarding system-wide auth-to-local mapping .. Patch Set 1: (2 comments) http://gerrit.cloudera.org:8080/#/c/8373/1/src/kudu/security/init.cc File src/kudu/security/init.cc: http://gerrit.cloudera.org:8080/#/c/8373/1/src/kudu/security/init.cc@75 PS1, Line 75: #define DEFAULT_SYSTEM_AUTH_TO_LOCAL true consider using a constant here, e.g. https://github.com/apache/kudu/blob/master/src/kudu/mini-cluster/mini_cluster.h#L93-L97. I don't feel too strongly if you want to keep it as-is, though. http://gerrit.cloudera.org:8080/#/c/8373/1/src/kudu/security/init.cc@84 PS1, Line 84: componnt component -- To view, visit http://gerrit.cloudera.org:8080/8373 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I2e893493f52965ea54d2ceaac83d375285b49486 Gerrit-Change-Number: 8373 Gerrit-PatchSet: 1 Gerrit-Owner: Todd LipconGerrit-Reviewer: Alexey Serbin Gerrit-Reviewer: Dan Burkert Gerrit-Reviewer: Kudu Jenkins Gerrit-Comment-Date: Tue, 24 Oct 2017 19:54:23 + Gerrit-HasComments: Yes
[kudu-CR] KUDU-2198. Allow disregarding system-wide auth-to-local mapping
Hello Alexey Serbin, Dan Burkert, I'd like you to do a code review. Please visit http://gerrit.cloudera.org:8080/8373 to review the following change. Change subject: KUDU-2198. Allow disregarding system-wide auth-to-local mapping .. KUDU-2198. Allow disregarding system-wide auth-to-local mapping This adds a workaround for an issue reported on the user mailing list. Some systems are configured such that the auth_to_local mapping provided by the krb5 library doesn't work properly for service accounts. This patch adds a new configuration which allows Kudu to disregard the system auth_to_local rules and instead just map kerberos principals to their first component, which is typically the username. Change-Id: I2e893493f52965ea54d2ceaac83d375285b49486 --- M src/kudu/security/init.cc 1 file changed, 24 insertions(+), 11 deletions(-) git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/73/8373/1 -- To view, visit http://gerrit.cloudera.org:8080/8373 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: newchange Gerrit-Change-Id: I2e893493f52965ea54d2ceaac83d375285b49486 Gerrit-Change-Number: 8373 Gerrit-PatchSet: 1 Gerrit-Owner: Todd LipconGerrit-Reviewer: Alexey Serbin Gerrit-Reviewer: Dan Burkert