This is an automated email from the ASF dual-hosted git repository. dbecker pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/impala.git
commit 4e7c600f1c70b25833d3848ed65d5290035b6f62 Author: halim.kim <[email protected]> AuthorDate: Wed Jul 26 20:24:51 2023 +0900 IMPALA-14066 (Part 5): Re-applying IMPALA-12318: Add a flag option for http spnego dedicated keytab file. This commit re-applies IMPALA-12318 to the Kudu files after the Kudu rebase to v1.17.1. Testing: exhaustive tests have passed. The original commit message is below: Add a --spnego_keytab_file flag for seperation of service keytab file and spnego keytab file. If --webserver_require_spnego flag is true and --spnego_keytab_file is not empty but specifies a keytab location, web console gss acceptor registers specified keytab location so that web server is able to find spnego principal from spnego_keytab_file. if --spnego_keytab_file is empty even --webserver_require_spnego, web server will use --keytab_file flag as it is. Change-Id: I1db5a9f222f74429fead81ec9888bdd5b6e32f48 Reviewed-on: http://gerrit.cloudera.org:8080/20269 Reviewed-by: Impala Public Jenkins <[email protected]> Tested-by: Impala Public Jenkins <[email protected]> Reviewed-on: http://gerrit.cloudera.org:8080/22971 Reviewed-by: Daniel Becker <[email protected]> Tested-by: Daniel Becker <[email protected]> --- be/src/kudu/security/gssapi.cc | 3 +++ be/src/util/webserver.cc | 2 ++ 2 files changed, 5 insertions(+) diff --git a/be/src/kudu/security/gssapi.cc b/be/src/kudu/security/gssapi.cc index 116b8f969..01cdffd65 100644 --- a/be/src/kudu/security/gssapi.cc +++ b/be/src/kudu/security/gssapi.cc @@ -23,10 +23,13 @@ #include <glog/logging.h> +#include "common/global-flags.h" #include "kudu/gutil/strings/escaping.h" #include "kudu/util/scoped_cleanup.h" #include "kudu/util/status.h" +DECLARE_string(spnego_keytab_file); + using std::string; #if defined(__APPLE__) diff --git a/be/src/util/webserver.cc b/be/src/util/webserver.cc index 70b190d1a..2d8ac1ac5 100644 --- a/be/src/util/webserver.cc +++ b/be/src/util/webserver.cc @@ -28,6 +28,7 @@ #include <boost/lexical_cast.hpp> #include <boost/mem_fn.hpp> #include <boost/thread/shared_mutex.hpp> +#include <gssapi/gssapi_krb5.h> #include <rapidjson/document.h> #include <rapidjson/prettywriter.h> #include <rapidjson/stringbuffer.h> @@ -501,6 +502,7 @@ Status Webserver::Start() { return Status("Unable to configure web server for SPNEGO authentication: " "must configure a keytab file for the server"); } + krb5_gss_register_acceptor_identity(kt_file); LOG(INFO) << "Webserver: secured with SPNEGO authentication."; }
