[ https://issues.apache.org/jira/browse/IMPALA-9430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17060994#comment-17060994 ]
Norbert Luksa commented on IMPALA-9430: --------------------------------------- Looks like ASF Jira bot failed to copy the commit message, so here it is for reference: IMPALA-9430: always pass through kerberos configs The behaviour of kerberos-related command line flags is changed so that their values are always passed through to underlying libraries, even if Kerberos isn't enabled for internal communication in Impala. This is good because: * Various libraries that communicate with external systems may use kerberos for outgoing connections, if *incoming* connections are not authenticated. e.g. it might just be enabled for HMS. Having them pick up different kerberos settings for outgoing connections if kerberos is disabled for incoming connections is a little weird. This is a safer default that reduces chances of inadvertant misconfigurations. * It matches the documentation of the flags. Some validations are still disabled when --principal is not set, e.g. we don't check the replay cache directory. This is to avoid any potential regressions or startup failures on non-kerberised clusters. Testing: Added unit tests for flag validation and env var setting on the code paths that I touched. Change-Id: If4bb311c7ab7173232aab36c5ed801f93f38f5b9 Reviewed-on: http://gerrit.cloudera.org:8080/15340 Reviewed-by: Impala Public Jenkins <impala-public-jenk...@cloudera.com> Tested-by: Impala Public Jenkins <impala-public-jenk...@cloudera.com> > Kerberos configs should be passed through to Kerberos libraries even if > principal is not set > -------------------------------------------------------------------------------------------- > > Key: IMPALA-9430 > URL: https://issues.apache.org/jira/browse/IMPALA-9430 > Project: IMPALA > Issue Type: Improvement > Components: Backend > Reporter: Tim Armstrong > Assignee: Tim Armstrong > Priority: Major > Labels: kerberos, security > Fix For: Impala 3.4.0 > > > InitKerberosEnv() configures native and JDK kerberos implementations based on > command-line flags: > https://github.com/apache/impala/blob/d1b42c836c3458a2ef3662c0b0b1fd8fbf8f2baf/be/src/rpc/authentication.cc#L866 > . It only does this when --principal is set. > It's possible that Impala can be set up to use kerberos to communicate with > some external services, e.g. HMS or Hive, even if --principal is not set, > since those clients read in config XML files that are independent of the > Impala flags. This isn't a recommended configuration and requires a fair bit > of expertise to get right, but I think it's very surprising that the configs > *don't* get passed through in the case. The documentation doesn't mention > this behaviour. > The suggested change here is to apply the config changes independent of the > value of --principal. It should be a noop if kerberos is not configured for > any services. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org For additional commands, e-mail: issues-all-h...@impala.apache.org