hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alejandro Abdelnur (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-8518) SPNEGO client side should use KerberosName rules
Date Thu, 28 Jun 2012 15:59:45 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-8518?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13403178#comment-13403178
] 

Alejandro Abdelnur commented on HADOOP-8518:
--------------------------------------------

(I'm not an expert either, just know a bit about it :) ) Yes, the MiM attack would require
a valid principal/credentials (a keytab). In a large cluster setup, with 1000s machines this
would mean that 1 rogue machine could do a MiM.
                
> SPNEGO client side should use KerberosName rules
> ------------------------------------------------
>
>                 Key: HADOOP-8518
>                 URL: https://issues.apache.org/jira/browse/HADOOP-8518
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 1.0.3, 2.0.0-alpha
>            Reporter: Alejandro Abdelnur
>            Assignee: Alejandro Abdelnur
>             Fix For: 1.1.0, 2.0.1-alpha
>
>
> currently KerberosName is used only on the server side to resolve the client name, we
should use it on the client side as well to resolve the server name before getting the kerberos
ticket.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message