From common-issues-return-10564-apmail-hadoop-common-issues-archive=hadoop.apache.org@hadoop.apache.org Sat Sep 04 00:11:13 2010 Return-Path: Delivered-To: apmail-hadoop-common-issues-archive@minotaur.apache.org Received: (qmail 8352 invoked from network); 4 Sep 2010 00:11:13 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 4 Sep 2010 00:11:13 -0000 Received: (qmail 25958 invoked by uid 500); 4 Sep 2010 00:11:13 -0000 Delivered-To: apmail-hadoop-common-issues-archive@hadoop.apache.org Received: (qmail 25800 invoked by uid 500); 4 Sep 2010 00:11:12 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: common-issues@hadoop.apache.org Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 25792 invoked by uid 99); 4 Sep 2010 00:11:12 -0000 Received: from Unknown (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 04 Sep 2010 00:11:12 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.22] (HELO thor.apache.org) (140.211.11.22) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 04 Sep 2010 00:10:55 +0000 Received: from thor (localhost [127.0.0.1]) by thor.apache.org (8.13.8+Sun/8.13.8) with ESMTP id o840AXBV027987 for ; Sat, 4 Sep 2010 00:10:33 GMT Message-ID: <16170347.24611283559033734.JavaMail.jira@thor> Date: Fri, 3 Sep 2010 20:10:33 -0400 (EDT) From: "Kan Zhang (JIRA)" To: common-issues@hadoop.apache.org Subject: [jira] Updated: (HADOOP-6907) Rpc client doesn't use the per-connection conf to figure out server's Kerberos principal In-Reply-To: <9029429.243131281389838773.JavaMail.jira@thor> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/HADOOP-6907?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kan Zhang updated HADOOP-6907: ------------------------------ Attachment: c6907-Y20S.1xx.05.patch Attaching a patch for Yahoo internal Y20S branch (includes HADOOP-6907, HADOOP-6938 and HADOOP-6905). Not for commit. > Rpc client doesn't use the per-connection conf to figure out server's Kerberos principal > ---------------------------------------------------------------------------------------- > > Key: HADOOP-6907 > URL: https://issues.apache.org/jira/browse/HADOOP-6907 > Project: Hadoop Common > Issue Type: Bug > Components: ipc, security > Reporter: Kan Zhang > Assignee: Kan Zhang > Fix For: 0.22.0 > > Attachments: c6907-12.patch, c6907-15.patch, c6907-16.patch, c6907-18.patch, c6907-Y20S.1xx.05.patch > > > Currently, RPC client caches the conf that was passed in to its constructor and uses that same conf (or values obtained from it) for every connection it sets up. This is not sufficient for security since each connection needs to figure out server's Kerberos principal on a per-connection basis. It's not reasonable to expect the first conf used by a user to contain all the Kerberos principals that her future connections will ever need. Or worse, if her first conf contains an incorrect principal name, it will prevent the user from connecting to the server even if she later on passes in a correct conf on retry (by calling RPC.getProxy()). -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.