[KYUUBI #7265] Recommend to configure kyuubi.session.local.dir.allowlist for multi-tenant clusters

aajisaka · aajisaka · commit 44607b18cb67 · 2025-12-10T16:51:54.000+09:00
### Why are the changes needed? Add recommendation to protect credentials in Kyuubi server for multi-tenant use case. Fixes #7265 ### How was this patch tested? New test is not added because it's only documentation and logging change. ### Was this patch authored or co-authored using generative AI tooling? No Closes #7269 from aajisaka/multi-tenant-doc. Closes #7265 477ad75 [Akira Ajisaka] Fix scalastyle check 5e947b9 [Akira Ajisaka] [KYUUBI #7265] Recommend to configure kyuubi.session.local.dir.allow.list for multi-tenant clusters. Authored-by: Akira Ajisaka <aajisaka@apache.org> Signed-off-by: Akira Ajisaka <aajisaka@apache.org> (cherry picked from commit 4b180d4) Signed-off-by: Akira Ajisaka <aajisaka@apache.org>
diff --git a/docs/security/kinit.md b/docs/security/kinit.md
@@ -101,6 +101,9 @@ hadoop.proxyuser.<user name in principal>.groups *
 hadoop.proxyuser.<user name in principal>.hosts *
 ```
 
+Also, you must configure `kyuubi.session.local.dir.allow.list` to exclude your Kyuubi server's keytab and any other credential from the local directories.
+Otherwise, any user who can login to the Kyuubi server via Kyuubi frontend protocols is possible to obtain the keytab and to impersonate the users configured by Hadoop proxy user settings.
+
 ## Further Readings
 
 - [Hadoop in Secure Mode](https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/SecureMode.html)
diff --git a/kyuubi-server/src/main/scala/org/apache/kyuubi/server/KinitAuxiliaryService.scala b/kyuubi-server/src/main/scala/org/apache/kyuubi/server/KinitAuxiliaryService.scala
@@ -44,6 +44,12 @@ class KinitAuxiliaryService() extends AbstractService("KinitAuxiliaryService") {
       kinitMaxAttempts = conf.get(KyuubiConf.KINIT_MAX_ATTEMPTS)
 
       require(keytab.nonEmpty && principal.nonEmpty, "principal or keytab is missing")
+      if (conf.get(KyuubiConf.ENGINE_DO_AS_ENABLED) &&
+        conf.get(KyuubiConf.SESSION_LOCAL_DIR_ALLOW_LIST).isEmpty) {
+        warn(s"User impersonation is enabled, but ${KyuubiConf.SESSION_LOCAL_DIR_ALLOW_LIST}" +
+          " is unset. We strongly recommend to configure the allowed local dir list" +
+          " to exclude any credential including keytab.")
+      }
       UserGroupInformation.loginUserFromKeytab(principal.get, keytab.get)
       val krb5Conf = Option(System.getProperty("java.security.krb5.conf"))
         .orElse(Option(System.getenv("KRB5_CONFIG")))
