Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Duplicate
-
Impala 3.2.0
-
None
-
None
-
ghx-label-7
Description
Currently, Impala starts a kinit renewal thread only when kerberos is enabled,
Status SecureAuthProvider::Start() {
// True for kerberos internal use
if (needs_kinit_) {
DCHECK(is_internal_);
DCHECK(!principal_.empty());
// IMPALA-8154: Disable any Kerberos auth_to_local mappings.
FLAGS_use_system_auth_to_local = false;
// Starts a thread that periodically does a 'kinit'. The thread lives as long as the
// process does.
KUDU_RETURN_IF_ERROR(kudu::security::InitKerberosForServer(principal_, keytab_file_,
FLAGS_krb5_ccname, false), "Could not init kerberos"); <==== starts the thread
LOG(INFO) << "Kerberos ticket granted to " << principal_;
}
There can be cases where Impala's internal connections are not kerberized but communication with external components like HMS/Ranger/Atlas could be kerberized. In such setups, Impala process doesn't have a tgt initialized resulting in failing connections to these components.
We could start with decoupling the kinit thread from the kerberos configuration and have it run in cases where any communication is kerberized (use a flag?).
Attachments
Issue Links
- duplicates
-
-
- Resolved
-