Gergely Farkas created IMPALA-12403:
---------------------------------------
Summary: Kerberos authentication fails when connecting with a
proxy user that passes LDAP user and group filters but does not delegate
another user
Key: IMPALA-12403
URL: https://issues.apache.org/jira/browse/IMPALA-12403
Project: IMPALA
Issue Type: Bug
Components: be
Reporter: Gergely Farkas
Assignee: Gergely Farkas
When connecting with a proxy user without _doAs_ request parameter or
_impala.doas.user_ connection config then the filters are executed with the
authenticated user itself, however, in case of Kerberos auth, the authenticated
user is a Kerberos user principal which will definitely not pass the LDAP
checks, because LDAP filters here need to be checked with a short username
(that needs to be extracted from the Kerberos user principal).
During the Kerberos authentication process, the short username is checked ( see
[https://github.com/apache/impala/blob/master/be/src/rpc/authentication.cc#L757-L764]),
, the only point where it doesn't work like that is this:
[https://github.com/apache/impala/blob/master/be/src/service/impala-hs2-server.cc#L394-L403]
[https://github.com/apache/impala/blob/master/be/src/util/auth-util.cc#L43-L52]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
