kudu-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From t...@apache.org
Subject kudu git commit: KUDU-2087. Fix failure to map Kerberos principal to username with FreeIPA
Date Tue, 01 Aug 2017 21:34:48 GMT
Repository: kudu
Updated Branches:
  refs/heads/branch-1.4.x 7722dc8e0 -> 9adfd2db4


KUDU-2087. Fix failure to map Kerberos principal to username with FreeIPA

FreeIPA is a piece of software that automates and simplifies management
of MIT krb5, SSSD, some LDAP service, etc. FreeIPA configures a
localauth plugin[1] in krb5.conf to map Kerberos principals to local
usernames. In this configuration, Kudu daemons were failing to start up
due to failure to map their own service principals back to a username.
This is due to a number of issues:

1) FreeIPA distinguishes between service principals and user principals
and doesn't store a 'uid' field in LDAP for service principals. Thus,
when 'sssd' tries to map a service principal to a local unix user, it
determines that there is no such user (ie getpwnam() fails). This is by
design, best I can tell.

2) sssd's implementation of krb5_auth_to_localname[1] uses getpwnam to try
to map the kerberos principal to the local username. Because of the
above, it fails for service principals.

3) Prior to el7.3, ssd configures krb5 with 'enable_only = sssd' in the
localauth plugin section. This means that if sssd fails to perform the
mapping, it does not fall back to other mappings defined in krb5.conf
(eg explicitly defined auth_to_local rules). See [2]

4) Even after 7.3, there is an additional bug in sssd which I just
filed[3], which causes the fallback to still not work. Because of this,
we're getting the KRB5_PLUGIN_NO_HANDLE error code back up at the Kudu
layer.

We already have our own fallback case for KRB5_LNAME_NO_TRANS, and it
seems like we should just be handling PLUGIN_NO_HANDLE in the same way
to workaround the above behavior.

I tested this patch on a FreeIPA-configured system on el6.7. I was able
to successfully start a master with a FreeIPA-provided keytab and
authentication required, and use 'kudu table list' to authenticate to
it.

[1] https://github.com/SSSD/sssd/blob/master/src/krb5_plugin/sssd_krb5_localauth_plugin.c
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1297462
[3] https://pagure.io/SSSD/sssd/issue/3459

Change-Id: I7bc13b33053a73784350c9d30a3796a96d318c04
Reviewed-on: http://gerrit.cloudera.org:8080/7551
Tested-by: Kudu Jenkins
Reviewed-by: Alexey Serbin <aserbin@cloudera.com>
(cherry picked from commit ed827e0f0c23f154c06c43b4d43219cdd321e221)
Reviewed-on: http://gerrit.cloudera.org:8080/7553
Reviewed-by: Jean-Daniel Cryans <jdcryans@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/kudu/repo
Commit: http://git-wip-us.apache.org/repos/asf/kudu/commit/9adfd2db
Tree: http://git-wip-us.apache.org/repos/asf/kudu/tree/9adfd2db
Diff: http://git-wip-us.apache.org/repos/asf/kudu/diff/9adfd2db

Branch: refs/heads/branch-1.4.x
Commit: 9adfd2db4bd9362d82511dec9c476b304b3dd9a8
Parents: 7722dc8
Author: Todd Lipcon <todd@apache.org>
Authored: Mon Jul 31 18:58:26 2017 -0700
Committer: Todd Lipcon <todd@apache.org>
Committed: Tue Aug 1 21:32:50 2017 +0000

----------------------------------------------------------------------
 src/kudu/security/init.cc | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/kudu/blob/9adfd2db/src/kudu/security/init.cc
----------------------------------------------------------------------
diff --git a/src/kudu/security/init.cc b/src/kudu/security/init.cc
index dfdb5cd..0ddc602 100644
--- a/src/kudu/security/init.cc
+++ b/src/kudu/security/init.cc
@@ -408,9 +408,13 @@ Status MapPrincipalToLocalName(const std::string& principal, std::string*
local_
   // first component of the principal.
   rc = KRB5_LNAME_NOTRANS;
 #endif
-  if (rc == KRB5_LNAME_NOTRANS) {
+  if (rc == KRB5_LNAME_NOTRANS || rc == KRB5_PLUGIN_NO_HANDLE) {
     // No name mapping specified. We fall back to simply taking the first component
     // of the principal, for compatibility with the default behavior of Hadoop.
+    //
+    // NOTE: KRB5_PLUGIN_NO_HANDLE isn't typically expected here, but works around
+    // a bug in SSSD's auth_to_local implementation: https://pagure.io/SSSD/sssd/issue/3459
+    //
     // TODO(todd): we should support custom configured auth-to-local mapping, since
     // most Hadoop ecosystem components do not load them from krb5.conf.
     if (princ->length > 0) {


Mime
View raw message