Marton Greber has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/23153 )
Change subject: [webserver] Mapping Kerberos principals to local usernames ...................................................................... [webserver] Mapping Kerberos principals to local usernames The REST API was failing authorization checks for authenticated Kerberos users due to a mismatch between the authentication and authorization username formats. When users authenticate via SPNEGO, the webserver extracts the full Kerberos principal (e.g., "[email protected]") and passes it directly to the authorization layer. However, Ranger policies are configured with short usernames (e.g., "test-user"), causing authorization to fail even for properly authenticated users with valid policies. This created an inconsistency where the same user with identical Ranger policies could successfully perform operations via the RPC API but would be denied when using the REST API. The RPC layer correctly maps Kerberos principals to local usernames using MapPrincipalToLocalName() before authorization, but the REST API was bypassing this step. This patch adds principal-to-local username mapping to all webserver authorization points in webserver.cc. The implementation uses the same MapPrincipalToLocalName() function as the RPC layer, ensuring consistent behavior across both APIs. Moreover, the WebRequest struct had an authn_princ field that was renamed to username to better reflect its purpose, as it now contains the local username after mapping. Change-Id: Ib25a7886c32cbbef35272cd5799ae84601335a34 Reviewed-on: http://gerrit.cloudera.org:8080/23153 Reviewed-by: Marton Greber <[email protected]> Tested-by: Marton Greber <[email protected]> Reviewed-by: Zoltan Chovan <[email protected]> --- M src/kudu/master/rest_catalog_path_handlers.cc M src/kudu/server/webserver-test.cc M src/kudu/server/webserver.cc M src/kudu/util/web_callback_registry.h 4 files changed, 22 insertions(+), 11 deletions(-) Approvals: Marton Greber: Looks good to me, approved; Verified Zoltan Chovan: Looks good to me, but someone else must approve -- To view, visit http://gerrit.cloudera.org:8080/23153 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: Ib25a7886c32cbbef35272cd5799ae84601335a34 Gerrit-Change-Number: 23153 Gerrit-PatchSet: 4 Gerrit-Owner: Gabriella Lotz <[email protected]> Gerrit-Reviewer: Gabriella Lotz <[email protected]> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Reviewer: Marton Greber <[email protected]> Gerrit-Reviewer: Zoltan Chovan <[email protected]>
