Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pegasus-Shell supports executing kinit outside of the program and completing authentication within the program #1569

Merged
merged 6 commits into from
Aug 11, 2023
Merged

Pegasus-Shell supports executing kinit outside of the program and completing authentication within the program #1569

merged 6 commits into from
Aug 11, 2023

Conversation

WHBANG
Copy link
Contributor

@WHBANG WHBANG commented Jul 18, 2023
edited
Loading

What problem does this PR solve?

#1568

What is changed and how does it work?

When kerberos authentication is enabled:

  • The config 'krb5_keytab' and 'krb5_principal' is not empty, which means that pegasus completes the kinit action by itself.
  • When the value of both is empty, the user needs to complete the kinit action by himself, and pegasus will obtain the principal of the current unix account for authentication.

Example when the enable_auth value is true:

config.ini: No keytab file is provided and no principal is specified in the configuration file

[security]
  enable_auth = true
  krb5_config = /etc/krb5.conf
  sasl_plugin_path = /root/apache/incubator-pegasus/thirdparty/output/lib/sasl2
  service_fqdn = a656c309c331
  service_name = test1

Execute klist first to verify that kinit has not been executed in the environment

[root@a656c309c331 incubator-pegasus]# klist
klist: Credentials cache keyring 'persistent:0:0' not found

At this time, directly executing the pegasus-shell tool will exit abnormally

[root@a656c309c331 incubator-pegasus]# ./run.sh shell
Pegasus Shell 2.4.0-SNAPSHOT
Type "help" for more information.
Type "Ctrl-D" or "Ctrl-C" to exit the shell.

run the system failed
dsn exit with code -1

Execute kinit under the current unix account

[root@a656c309c331 incubator-pegasus]# kinit -kt /root/apache/pegasus.keytab test2/a656c309c331@DEMO.TEST.COM
[root@a656c309c331 incubator-pegasus]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: test2/a656c309c331@DEMO.TEST.COM

Valid starting       Expires              Service principal
07/18/2023 08:04:52  07/19/2023 08:04:52  krbtgt/DEMO.TEST.COM@DEMO.TEST.COM

Execute pegasus-shell again, we can enter successfully, and the log shows that the authentication is successful

[root@a656c309c331 incubator-pegasus]# ./run.sh shell
Pegasus Shell 2.4.0-SNAPSHOT
Type "help" for more information.
Type "Ctrl-D" or "Ctrl-C" to exit the shell.

The config file is: /root/apache/incubator-pegasus/config-shell.ini.186049
The cluster name is: onebox
The cluster meta list is: 127.0.0.1:34601,127.0.0.1:34602,127.0.0.1:34603
>>> ls
[general_info]
app_id  status     app_name  app_type  partition_count  replica_count  is_stateful  create_time          drop_time  drop_expire  envs_count
1       AVAILABLE  temp      pegasus   8                3              true         2023-07-18_07:22:44  -          -            0

[summary]
total_app_count  : 1

>>> get_meta_level
current meta level is fl_steady
>>>

I2023-07-18 08:07:24.920 (1689667644920761644 186054) unknown.io-thrd.186054: service_api_c.cpp:468:run(): process(186054) start: 1689667644916, date: 2023-07-18 08:07:24.916
I2023-07-18 08:07:24.921 (1689667644921036912 186054) unknown.io-thrd.186054: init.cpp:67:init(): initialize kerberos succeed
I2023-07-18 08:07:24.921 (1689667644921528195 186054) unknown.io-thrd.186054: init.cpp:74:init(): initialize sasl succeed

@github-actions github-actions bot added the cpp label Jul 18, 2023
@WHBANG WHBANG force-pushed the dev/kinit_if_necessary branch from 624129a to 68a3964 Compare July 19, 2023 13:05
@WHBANG WHBANG changed the title Pegasus-Shell supports executing kinit outside of the program and completing authentication within the program. Pegasus-Shell supports executing kinit outside of the program and completing authentication within the program Aug 10, 2023
@WHBANG WHBANG force-pushed the dev/kinit_if_necessary branch from adc8922 to dc32179 Compare August 10, 2023 11:08
@acelyc111 acelyc111 merged commit 72c8f2f into apache:master Aug 11, 2023
@empiredan empiredan mentioned this pull request Aug 22, 2023
Closed
GehaFearless pushed a commit to GehaFearless/incubator-pegasus that referenced this pull request Feb 28, 2024
@acelyc111
[SKV-670] feat(security): Support to use the principal of Unix accoun…
908d364 
…t for authentication (apache#1569)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@acelyc111 acelyc111 acelyc111 approved these changes

@empiredan empiredan empiredan approved these changes

Assignees
No one assigned
Labels
cpp
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@WHBANG @empiredan @acelyc111