hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Matt Foley (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HADOOP-12617) SPNEGO authentication request to non-default realm gets default realm name inserted in target server principal
Date Sun, 06 Dec 2015 22:01:10 GMT
Matt Foley created HADOOP-12617:
-----------------------------------

             Summary: SPNEGO authentication request to non-default realm gets default realm
name inserted in target server principal
                 Key: HADOOP-12617
                 URL: https://issues.apache.org/jira/browse/HADOOP-12617
             Project: Hadoop Common
          Issue Type: Bug
          Components: security
    Affects Versions: 2.7.1
         Environment: Java client talking to two secure clusters in different Kerberos realms,
or talking to any secure cluster in non-default realm
            Reporter: Matt Foley
            Assignee: Matt Foley


Note: This is NOT a vulnerability.

In order for a single Java client to communicate with two different secure clusters in different
realms (only one of which can be the "default_realm"), the client's krb5.conf file must specify
both realms, and provide a \[domain_realm\] section that maps cluster servers' domains to
the correct realms.  With other appropriate behaviors (such as using the config from each
cluster to talk to the respective clusters, and a user principal from each realm to talk to
the respective realms), this is sufficient for most Hadoop ecosystem clients.  

But our SPNEGO using clients, such as Oozie, have a bug when it comes to talking to a non-default
realm.  The default realm name gets incorrectly inserted into the construction of the target
server principal for the non-default-realm cluster.  Details and proposed solution are given
in the first comments below.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message