Abhishek Rawat created IMPALA-14083:
---------------------------------------
Summary: kerberos user not set in session state when Cookie Based
Authentication is used with a proxy client
Key: IMPALA-14083
URL: https://issues.apache.org/jira/browse/IMPALA-14083
Project: IMPALA
Issue Type: Bug
Reporter: Abhishek Rawat
When Cookie based Authentication is used with a proxy client such as Knox, the
kerberos user may not be set in session state. This happens for the sessions
authenticated using Auth Cookies which bypasses the SPNEGO Authentication. When
using proxy clients such as knox, the Authentication is performed by the proxy
client using its credentials such as
{code:java}
knox/<host>@<realm> {code}
n knox uses a valid Authentication Cookie, Impala server skips SPNEGO
Authentication and this can result in a client request failing with following
error:
{code:java}
The user authorized on the connection 'knox' does not match the session
username '' {code}
This happens because while the session created using Cookie Based AuthN did not
preserve kerberos user information, but the original connection which resulted
in SPNEGO AuthN did preserve kerberos user information in connection context.
Here is a log sequence resulting in above error on the client side.
* New connection results in SPNEGO AuthN and preserves kerberos user in thread
local connection context corresponding to the thread *513163*
{code:java}
I0519 07:28:25.035172 511501 TAcceptQueueServer.cpp:355] New connection to
server hiveserver2-http-frontend from client <Host: 10.140.219.198 Port: 43366>
I0519 07:28:25.271310 513163 authentication.cc:599] Invalid cookie provided:
impala.auth="zRYm67vYXpnowEsi1scn5tHwkyKWuzfskULhsyE1yA4=&u=knox/[email protected]&t=12308739590&r=1382913108"
from: 10.140.219.198:43366: The signature is incorrect.
I0519 07:28:25.272156 513163 authentication.cc:770] kerberos_user_principal
knox/[email protected] kerberos_user_short
knox
{code}
* A subsequent new session ({*}af439227ac69984f:b1234edda9d103a1{*}) doesn't
result in SPNEGO AuthN and as a result kerberos user information is not
preserved in the session state. The session was created using thread *525109*
{code:java}
I0519 08:46:05.042977 525109 impala-hs2-server.cc:316] Opening session:
af439227ac69984f:b1234edda9d103a1 request username: jdoe
I0519 08:46:05.043077 525109 impala-hs2-server.cc:363]
af439227ac69984f:b1234edda9d103a1 connected_user:
knox/[email protected]
connected_user_short:
....
....
I0519 08:46:05.153427 525109 impala-server.cc:3530] session_id:
af439227ac69984f:b1234edda9d103a1 connection_username:
knox/[email protected]
kerberos_user_principal: kerberos_user_short:
...
I0519 08:46:05.153754 525109 impala-server.cc:1450]
884c87778bcff25a:963abe7300000000] Registered query
query_id=884c87778bcff25a:963abe7300000000
session_id=af439227ac69984f:b1234edda9d103a1
....
....{code}
* A query ({*}634a94eb35004a56:34c6773200000000{*}) running in the session
*af439227ac69984f:b1234edda9d103a1* starts execution on thread *525109* but one
of the fetch rpcs gets scheduled on thread *513163* and the fetch rpc fails
with error due to mismatch in kerberos user in session state ('') and thread
local connection context ('knox')
{code:java}
I0519 08:56:15.705862 525109 impala-hs2-server.cc:996] FetchResults():
query_id=634a94eb35004a56:34c6773200000000 session_id
af439227ac69984f:b1234edda9d103a1 I0519 08:56:15.705982 525109
impala-server.cc:3530] session_id: af439227ac69984f:b1234edda9d103a1
connection_username:
knox/[email protected]
kerberos_user_principal: kerberos_user_short:
....
....
I0519 08:56:25.853528 513163 impala-hs2-server.cc:996] FetchResults():
query_id=634a94eb35004a56:34c6773200000000 session_id
af439227ac69984f:b1234edda9d103a1 I0519 08:56:25.853616 513163
impala-server.cc:3530] session_id: af439227ac69984f:b1234edda9d103a1
connection_username:
knox/[email protected]
kerberos_user_principal:
knox/[email protected]
kerberos_user_short: knox {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
