[
https://issues.apache.org/jira/browse/IMPALA-14083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17977604#comment-17977604
]
ASF subversion and git services commented on IMPALA-14083:
----------------------------------------------------------
Commit c044bdd49d20a83de3c04f6eeb9f2477eeee4815 in impala's branch
refs/heads/master from Abhishek Rawat
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=c044bdd49 ]
IMPALA-14083: Connected user and session user mismatch when cookie based
authentication is used with SPNEGO
IMPALA-11298 allowed comparing short user name for connected user and
session user to support proxy clients like Hue which could potentially
use different physical hosts for queries/requests from the same session.
When cookie based authentication is used, the 'kerberos_user_short' is
not set on the ConnectionContext and as a result 'connected_user_short'
is not set in SessionState. This can cause a mismatch when comparing
short user names from ConnectionContext and SessionState. This happens
because the original connection authenticated using SPNEGO will have
'kerberos_user_short' in the ConnectionContext, while the other
connections authenticated using cookies won't have 'kerberos_user_short'
set in the ConnectionContext.
This patch addresses this issue by setting 'kerberos_user_short' in
ConnectionContext, when using auth cookies generated post SPNEGO. This
information is retrieved from 'impala.auth' cookie itself, which now
also stores the 'a=<AUTH_MECHANISM>' in the cookie's value.
Testing:
- Added a SpnegoAuthTest which simulates 'knox' like proxy client and
uses SPNEGO to connect to Impala and also uses authentication cookies.
The test runs concurrent sql clients similar to real world scenarios.
Without the fix the test fails with error:
The user authorized on the connection '<username>' does not match the
session username ''
Change-Id: Id7223e449c32484bfd2295f7a9e728b7c02637e9
Reviewed-on: http://gerrit.cloudera.org:8080/22986
Tested-by: Impala Public Jenkins <[email protected]>
Reviewed-by: Jason Fehr <[email protected]>
> kerberos user not set in session state when Cookie based Authentication is
> used with a proxy client
> ---------------------------------------------------------------------------------------------------
>
> Key: IMPALA-14083
> URL: https://issues.apache.org/jira/browse/IMPALA-14083
> Project: IMPALA
> Issue Type: Bug
> Reporter: Abhishek Rawat
> Assignee: Abhishek Rawat
> Priority: Critical
>
> When Cookie based Authentication is used with a proxy client such as Knox,
> the kerberos user may not be set in session state. This happens for the
> sessions authenticated using Auth Cookies which bypasses the SPNEGO
> Authentication. When using proxy clients such as knox, the Authentication is
> performed by the proxy client using its credentials such as
> {code:java}
> knox/<host>@<realm> {code}
> When knox uses a valid Authentication Cookie, Impala server skips SPNEGO
> Authentication and this can result in a client request failing with following
> error:
> {code:java}
> The user authorized on the connection 'knox' does not match the session
> username '' {code}
> This happens because while the session created using Cookie Based AuthN did
> not preserve kerberos user information, but the original connection which
> resulted in SPNEGO AuthN did preserve kerberos user information in thread
> local connection context.
>
> Here is a log sequence resulting in above error on the client side.
> * New connection results in SPNEGO AuthN and preserves kerberos user in
> thread local connection context corresponding to the thread *513163*
> {code:java}
> I0519 07:28:25.035172 511501 TAcceptQueueServer.cpp:355] New connection to
> server hiveserver2-http-frontend from client <Host: 10.140.219.198 Port:
> 43366>
> I0519 07:28:25.271310 513163 authentication.cc:599] Invalid cookie provided:
> impala.auth="zRYm67vYXpnowEsi1scn5tHwkyKWuzfskULhsyE1yA4=&u=knox/[email protected]&t=12308739590&r=1382913108"
> from: 10.140.219.198:43366: The signature is incorrect.
> I0519 07:28:25.272156 513163 authentication.cc:770] kerberos_user_principal
> knox/[email protected]
> kerberos_user_short knox
> {code}
> * A subsequent new session ({*}af439227ac69984f:b1234edda9d103a1{*}) doesn't
> result in SPNEGO AuthN and as a result kerberos user information is not
> preserved in the session state. The session was created using thread *525109*
> {code:java}
> I0519 08:46:05.042977 525109 impala-hs2-server.cc:316] Opening session:
> af439227ac69984f:b1234edda9d103a1 request username: jdoe
> I0519 08:46:05.043077 525109 impala-hs2-server.cc:363]
> af439227ac69984f:b1234edda9d103a1 connected_user:
> knox/[email protected]
> connected_user_short:
> ....
> ....
> I0519 08:46:05.153427 525109 impala-server.cc:3530] session_id:
> af439227ac69984f:b1234edda9d103a1 connection_username:
> knox/[email protected]
> kerberos_user_principal: kerberos_user_short:
> ...
> I0519 08:46:05.153754 525109 impala-server.cc:1450]
> 884c87778bcff25a:963abe7300000000] Registered query
> query_id=884c87778bcff25a:963abe7300000000
> session_id=af439227ac69984f:b1234edda9d103a1
> ....
> ....{code}
> * A query ({*}634a94eb35004a56:34c6773200000000{*}) running in the session
> *af439227ac69984f:b1234edda9d103a1* starts execution on thread *525109* but
> one of the fetch rpcs gets scheduled on thread *513163* and the fetch rpc
> fails with error due to mismatch in kerberos user in session state ('') and
> thread local connection context ('knox')
> {code:java}
> I0519 08:56:15.705862 525109 impala-hs2-server.cc:996] FetchResults():
> query_id=634a94eb35004a56:34c6773200000000 session_id
> af439227ac69984f:b1234edda9d103a1 I0519 08:56:15.705982 525109
> impala-server.cc:3530] session_id: af439227ac69984f:b1234edda9d103a1
> connection_username:
> knox/[email protected]
> kerberos_user_principal: kerberos_user_short:
> ....
> ....
> I0519 08:56:25.853528 513163 impala-hs2-server.cc:996] FetchResults():
> query_id=634a94eb35004a56:34c6773200000000 session_id
> af439227ac69984f:b1234edda9d103a1 I0519 08:56:25.853616 513163
> impala-server.cc:3530] session_id: af439227ac69984f:b1234edda9d103a1
> connection_username:
> knox/[email protected]
> kerberos_user_principal:
> knox/[email protected]
> kerberos_user_short: knox {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
