hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Allen Wittenauer (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-8043) KerberosAuthenticationFilter and friends have some problems
Date Sat, 11 Feb 2012 03:27:09 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-8043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13206001#comment-13206001

Allen Wittenauer commented on HADOOP-8043:

I think there is some confusion: I don't intend to create a patch to be committed.  I'm only
filing jiras with patches so that other people don't have to deal with the issues around getting
1.0 up and running.  Given how much various other companies are proud to tout their patch
counts, these should be some easy points.

BTW, I also think there is some confusion around how the patch gets the name. See, whatever
the user used for incoming that gets converted to an IP address.  Given that we can specifically
bind the NN and JT to specific address:port combos, the admin has control over what is actually
valid.   So the name that is going to get used is the reverse lookup of the incoming IP of
the address we bound to.  So there is zero concern here about getting the wrong principal
on those hosts if we assume that DNS is configured correctly.  If DNS isn't configured correctly,
well... they have bigger issues to deal with.

> KerberosAuthenticationFilter and friends have some problems
> -----------------------------------------------------------
>                 Key: HADOOP-8043
>                 URL: https://issues.apache.org/jira/browse/HADOOP-8043
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 1.0.0
>            Reporter: Allen Wittenauer
>            Priority: Critical
>         Attachments: HADOOP-8043-branch-1.0.txt
> KerberosAuthenticationFilter and friends have three killer usability issues and bugs:
> 1. Documentation is misleading/wrong.
> 2. Shared secret stored in a world readable file.
> 3. Lacks support for _HOST macro

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


View raw message