IMPALA-9116: KUDU-2989. Work around SASL bug when FQDN is >=64 characters
This adds a workaround for an upstream SASL bug which is triggered when
the FQDN has more than 64 characters. In this case, SASL would truncate
the FQDN and not be able to find the relevant keytab.
The workaround simply uses our own code to determine the FQDN.
Change-Id: I9f05f70915ed20c97efd0ae7295b181a010cf0f6
Change-Id: I4898814f2f7ab87151798336414dde7078d28a4a
Reviewed-on: http://gerrit.cloudera.org:8080/14609
Reviewed-by: Anurag Mantripragada <anurag@cloudera.com>
Reviewed-by: Adar Dembo <adar@cloudera.com>
Tested-by: Kudu Jenkins
Reviewed-on: http://gerrit.cloudera.org:8080/14614
Reviewed-by: Todd Lipcon <todd@apache.org>
Reviewed-by: Michael Ho <kwho@cloudera.com>
Tested-by: Impala Public Jenkins <impala-public-jenkins@cloudera.com>
diff --git a/be/src/kudu/rpc/server_negotiation.cc b/be/src/kudu/rpc/server_negotiation.cc
index 612701f..a63d856 100644
--- a/be/src/kudu/rpc/server_negotiation.cc
+++ b/be/src/kudu/rpc/server_negotiation.cc
@@ -380,12 +380,25 @@
unsigned secflags = 0;
sasl_conn_t* sasl_conn = nullptr;
+
+ const char* server_fqdn = helper_.server_fqdn();
+ // If not explicitly set, use the host's FQDN here.
+ // SASL handles this itself if we pass null, but in a buggy way[1] that fails
+ // if the FQDN is >64 characters.
+ //
+ // [1] https://github.com/cyrusimap/cyrus-sasl/issues/583
+ string default_server_fqdn;
+ if (server_fqdn == nullptr) {
+ RETURN_NOT_OK_PREPEND(GetFQDN(&default_server_fqdn), "could not determine own FQDN");
+ server_fqdn = default_server_fqdn.c_str();
+ }
+
RETURN_NOT_OK_PREPEND(WrapSaslCall(nullptr /* no conn */, [&]() {
return sasl_server_new(
// Registered name of the service using SASL. Required.
sasl_proto_name_.c_str(),
// The fully qualified domain name of this server.
- helper_.server_fqdn(),
+ server_fqdn,
// Permits multiple user realms on server. NULL == use default.
nullptr,
// Local and remote IP address strings. We don't use any mechanisms
