Uploaded image for project: 'CDAP'
  1. CDAP
  2. CDAP-13154

Authorization for an Impersonated NS fails if the a full kerberos principal is specified

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 4.3.3, 4.3.2, 4.3.1, 4.3.0
    • Fix Version/s: 4.3.4
    • Component/s: Namespaces, Security
    • Labels:
      None
    • Rank:
      1|i00b3r:

      Description

      If an impersonated namespace is created with a complete kerberos principal containing primary/instance@REALM the authorization call for impersonated operations fail because the authorization enforcement calls are made with the complete principal as the username.

      Principal{name='alice/hostname.net@REALM' type=USER, kerberosPrincipal=null} 
      

      Our integration tests don't catch this because we configure our impersonated namespace with principal just as the primary (username) part of the Kerberos principal (short name).

      This issue might be with an impersonated app, dataset or anything which supports impersonation. We need to verify this.

      The current workaround is to avoid using full Kerberos principal.

      See screenshots.

        Attachments

        1. image.png
          image.png
          124 kB
        2. principal.jpg
          principal.jpg
          29 kB

          Activity

            People

            • Assignee:
              rsinha Rohit Sinha
              Reporter:
              rsinha Rohit Sinha
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: