Gergely Farkas created IMPALA-12403: ---------------------------------------
Summary: Kerberos authentication fails when connecting with a proxy user that passes LDAP user and group filters but does not delegate another user Key: IMPALA-12403 URL: https://issues.apache.org/jira/browse/IMPALA-12403 Project: IMPALA Issue Type: Bug Components: be Reporter: Gergely Farkas Assignee: Gergely Farkas When connecting with a proxy user without _doAs_ request parameter or _impala.doas.user_ connection config then the filters are executed with the authenticated user itself, however, in case of Kerberos auth, the authenticated user is a Kerberos user principal which will definitely not pass the LDAP checks, because LDAP filters here need to be checked with a short username (that needs to be extracted from the Kerberos user principal). During the Kerberos authentication process, the short username is checked ( see [https://github.com/apache/impala/blob/master/be/src/rpc/authentication.cc#L757-L764]), , the only point where it doesn't work like that is this: [https://github.com/apache/impala/blob/master/be/src/service/impala-hs2-server.cc#L394-L403] [https://github.com/apache/impala/blob/master/be/src/util/auth-util.cc#L43-L52] -- This message was sent by Atlassian Jira (v8.20.10#820010)