[IMPALA-12403] Kerberos authentication fails when connecting with a proxy user that passes LDAP user and group filters but does not delegate another user - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: Impala 4.3.0
Component/s: Backend
Labels:
None

Epic Color:
ghx-label-1

Description

When connecting with a proxy user without doAs request parameter or impala.doas.user connection config then the filters are executed with the authenticated user itself, however, in case of Kerberos auth, the authenticated user is a Kerberos user principal which will definitely not pass the LDAP checks, because LDAP filters here need to be checked with a short username (that needs to be extracted from the Kerberos user principal).
During the Kerberos authentication process, the short username is checked ( see https://github.com/apache/impala/blob/master/be/src/rpc/authentication.cc#L757-L764), , the only point where it doesn't work like that is this: https://github.com/apache/impala/blob/master/be/src/service/impala-hs2-server.cc#L394-L403
https://github.com/apache/impala/blob/master/be/src/util/auth-util.cc#L43-L52

Attachments

Activity

People

Assignee:: Gergely Farkas

Reporter:: Gergely Farkas

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 25/Aug/23 07:08

Updated:: 16/Jul/24 23:55

Resolved:: 15/Sep/23 07:22