hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Suresh Srinivas (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-7215) RPC clients must connect over a network interface corresponding to the host name in the client's kerberos principal key
Date Thu, 31 Mar 2011 18:47:07 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-7215?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13014137#comment-13014137
] 

Suresh Srinivas commented on HADOOP-7215:
-----------------------------------------

In that case, we have two choices:
# Fail at the client side:
#* If the client principal name does not have <part1>/<part2>@realm format, fail
it at the client with appropriate error. 
#* If the format is right, treat part2 as host name. Just try to bind to it and if bind fails,
then the failure occurs at the client it self with appropriate error. 

# Fail at the server side:
#* If the client principal name does not have <part1>/<part2>@realm format, bind
to any local address for the request.
#* If the format is right, treat part2 as host name. If host name is a valid local address,
bind to it else bind to any local address. This request will be rejected by the server.

I am leaning towards (2) because, server is rightly involved in the decision of rejecting
the client. It provides a record of this at both the client and the server. This will help
debugging on the server side, independent of client.

> RPC clients must connect over a network interface corresponding to the host name in the
client's kerberos principal key
> -----------------------------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-7215
>                 URL: https://issues.apache.org/jira/browse/HADOOP-7215
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>            Reporter: Suresh Srinivas
>            Assignee: Suresh Srinivas
>             Fix For: 0.20.203.0, 0.23.0
>
>         Attachments: HADOOP-7215.trunk.patch
>
>
> HDFS-7104 introduced a change where RPC server matches client's hostname with the hostname
specified in the client's Kerberos principal name. RPC client binds the socket to a random
local address, which might not match the hostname specified in the principal name. This results
authorization failure of the client at the server.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message