[jira] [Closed] (IMPALA-14083) kerberos user not set in session state when Cookie based Authentication is used with a proxy client

[Abhishek Rawat (Jira)]

     [ 
https://issues.apache.org/jira/browse/IMPALA-14083?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Abhishek Rawat closed IMPALA-14083.
-----------------------------------
    Fix Version/s: Impala 4.5.1
       Resolution: Fixed

> kerberos user not set in session state when Cookie based Authentication is 
> used with a proxy client
> ---------------------------------------------------------------------------------------------------
>
>                 Key: IMPALA-14083
>                 URL: https://issues.apache.org/jira/browse/IMPALA-14083
>             Project: IMPALA
>          Issue Type: Bug
>            Reporter: Abhishek Rawat
>            Assignee: Abhishek Rawat
>            Priority: Critical
>             Fix For: Impala 4.5.1
>
>
> When Cookie based Authentication is used with a proxy client such as Knox, 
> the kerberos user may not be set in session state. This happens for the 
> sessions authenticated using Auth Cookies which bypasses the SPNEGO 
> Authentication. When using proxy clients such as knox, the Authentication is 
> performed by the proxy client using its credentials such as 
> {code:java}
> knox/<host>@<realm> {code}
> When knox uses a valid Authentication Cookie, Impala server skips SPNEGO 
> Authentication and this can result in a client request failing with following 
> error:
> {code:java}
> The user authorized on the connection 'knox' does not match the session 
> username '' {code}
> This happens because while the session created using Cookie Based AuthN did 
> not preserve kerberos user information, but the original connection which 
> resulted in SPNEGO AuthN did preserve kerberos user information in thread 
> local connection context.
>  
> Here is a log sequence resulting in above error on the client side.
>  * New connection results in SPNEGO AuthN and preserves kerberos user in 
> thread local connection context corresponding to the thread *513163*
> {code:java}
> I0519 07:28:25.035172 511501 TAcceptQueueServer.cpp:355] New connection to 
> server hiveserver2-http-frontend from client <Host: 10.140.219.198 Port: 
> 43366>
> I0519 07:28:25.271310 513163 authentication.cc:599] Invalid cookie provided: 
> impala.auth="zRYm67vYXpnowEsi1scn5tHwkyKWuzfskULhsyE1yA4=&u=knox/ccycloud-1.eng29235k.root.comops.s...@root.comops.site&t=12308739590&r=1382913108"
>  from: 10.140.219.198:43366: The signature is incorrect.
> I0519 07:28:25.272156 513163 authentication.cc:770] kerberos_user_principal 
> knox/ccycloud-1.eng29235k.root.comops.s...@root.comops.site 
> kerberos_user_short knox
> {code}
>  * A subsequent new session ({*}af439227ac69984f:b1234edda9d103a1{*}) doesn't 
> result in SPNEGO AuthN and as a result kerberos user information is not 
> preserved in the session state. The session was created using thread *525109*
> {code:java}
> I0519 08:46:05.042977 525109 impala-hs2-server.cc:316] Opening session: 
> af439227ac69984f:b1234edda9d103a1 request username: jdoe
> I0519 08:46:05.043077 525109 impala-hs2-server.cc:363] 
> af439227ac69984f:b1234edda9d103a1 connected_user: 
> knox/ccycloud-1.eng29235k.root.comops.s...@root.comops.site 
> connected_user_short:
> ....
> ....
> I0519 08:46:05.153427 525109 impala-server.cc:3530] session_id: 
> af439227ac69984f:b1234edda9d103a1 connection_username: 
> knox/ccycloud-1.eng29235k.root.comops.s...@root.comops.site 
> kerberos_user_principal:  kerberos_user_short:
> ...
> I0519 08:46:05.153754 525109 impala-server.cc:1450] 
> 884c87778bcff25a:963abe7300000000] Registered query 
> query_id=884c87778bcff25a:963abe7300000000 
> session_id=af439227ac69984f:b1234edda9d103a1
> ....
> ....{code}
>  * A query ({*}634a94eb35004a56:34c6773200000000{*}) running in the session 
> *af439227ac69984f:b1234edda9d103a1* starts execution on thread *525109* but 
> one of the fetch rpcs gets scheduled on thread *513163* and the fetch rpc 
> fails with error due to mismatch in kerberos user in session state ('') and 
> thread local connection context ('knox')
> {code:java}
> I0519 08:56:15.705862 525109 impala-hs2-server.cc:996] FetchResults(): 
> query_id=634a94eb35004a56:34c6773200000000 session_id 
> af439227ac69984f:b1234edda9d103a1 I0519 08:56:15.705982 525109 
> impala-server.cc:3530] session_id: af439227ac69984f:b1234edda9d103a1 
> connection_username: 
> knox/ccycloud-1.eng29235k.root.comops.s...@root.comops.site 
> kerberos_user_principal:  kerberos_user_short: 
> ....
> .... 
> I0519 08:56:25.853528 513163 impala-hs2-server.cc:996] FetchResults(): 
> query_id=634a94eb35004a56:34c6773200000000 session_id 
> af439227ac69984f:b1234edda9d103a1 I0519 08:56:25.853616 513163 
> impala-server.cc:3530] session_id: af439227ac69984f:b1234edda9d103a1 
> connection_username: 
> knox/ccycloud-1.eng29235k.root.comops.s...@root.comops.site 
> kerberos_user_principal: 
> knox/ccycloud-1.eng29235k.root.comops.s...@root.comops.site 
> kerberos_user_short: knox {code}
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org