jprdonnelly/impala
1
0
Fork 0
mirror of https://github.com/apache/impala.git synced 2025-12-19 18:12:08 -05:00
Code Issues Projects Releases Wiki Activity
Files
04bdb4d32c598bd66c4774eac59947e4d95e0173
impala/tests/shell/test_shell_commandline_kerberos_auth.py
Gergely Farkas 04bdb4d32c IMPALA-12552: Fix Kerberos authentication issue that occurs 
in python 3 environment when kerberos_host_fqdn option is used

In Pyhton 2, the sasl layer does not accept unicode strings,
so we have to explicitly encode the kerberos_host_fqdn string
to ascii. However, this is not the case in python 3, where
we have to omit the encode, because if we don't do this,
impala-shell wants to use the following service principal
during Kerberos auth:
my_service_name/b'my.kerberos.host.fqdn'@MY.REALM
instead of the correct one, which is:
my_service_name/my.kerberos.host.fqdn@MY.REALM
(This is because the output of the encode function
is a byte array in python 3.)

Tested with new unit tests and with a snapshot build
manually in CDP PVC DS.

Change-Id: I8b157d76824ad67faf531a529256a8afe2ab9d49
Reviewed-on: http://gerrit.cloudera.org:8080/20691
Reviewed-by: Michael Smith <michael.smith@cloudera.com>
Tested-by: Impala Public Jenkins <impala-public-jenkins@cloudera.com>
Reviewed-by: Wenzhe Zhou <wzhou@cloudera.com>
2023-11-17 20:08:42 +00:00

92 lines
3.6 KiB
Python
Raw Blame History

#!/usr/bin/env impala-python
# -*- coding: utf-8 -*-
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
from __future__ import absolute_import, division, print_function
import pytest
from tests.common.impala_test_suite import ImpalaTestSuite
from tests.common.test_dimensions import create_client_protocol_http_transport
from tests.shell.util import create_impala_shell_executable_dimension
from tests.shell.util import run_impala_shell_cmd
from k5test import K5Realm
class TestImpalaShellKerberosAuth(ImpalaTestSuite):
@classmethod
def get_workload(self):
return 'functional-query'
@classmethod
def add_test_dimensions(cls):
"""Overrides all other add_dimension methods in super classes up the entire class
hierarchy ensuring that each test in this class only get run once
on different python versions."""
cls.ImpalaTestMatrix.add_dimension(create_client_protocol_http_transport())
cls.ImpalaTestMatrix.add_dimension(create_impala_shell_executable_dimension())
@pytest.mark.execute_serially
def test_kerberos_host_fqdn_option(self, vector):
"""
This test checks whether impala-shell uses the hostname specified in
the kerberos_host_fqdn option when looking for a service principal
for Kerberos authentication.
Note: Since the Kerberos authentication is not enabled in the python
test environment, the connection will fail for sure, but the Kerberos
log can be used to check if the correct service principal is used.
"""
realm = None
try:
realm = self._create_kerberos_realm_and_user("testuser", "password")
env = {
"KRB5CCNAME": "FILE:" + realm.ccache, # Ticket cache created by kinit
"KRB5_TRACE": "/dev/stderr", # Krb log to validate the principals
}
result = run_impala_shell_cmd(vector, ['--kerberos',
'--connect_max_tries=1',
'--protocol=hs2-http',
'--kerberos_host_fqdn=any.host',
'--quiet'], env=env)
assert "testuser@KRBTEST.COM" in result.stderr, \
"Principal 'testuser@KRBTEST.COM' should be in the Kerberos log"
assert "impala/any.host@KRBTEST.COM" in result.stderr, \
"Principal 'impala/any.host@KRBTEST.COM' should be in the Kerberos log"
finally:
realm.stop_kdc()
def _create_kerberos_realm_and_user(self, principal, password):
"""
Initializes a test Kerberos realm, creates a new user principal,
and runs kinit to get a Kerberos ticket.
Args:
principal (str): Name of the new Kerberos user principal.
password (str): Password of the new Kerberos user principal.
Returns:
realm (K5Realm): The Kerberos realm.
"""
realm = K5Realm(create_host=False, get_creds=False)
realm.addprinc(principal, password)
realm.kinit(principal, password)
return realm
Reference in New Issue View Git Blame Copy Permalink