hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Allen Wittenauer (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-9019) KerberosAuthenticator.doSpnegoSequence(..) should create a HTTP principal with hostname everytime
Date Sat, 10 Nov 2012 13:53:12 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-9019?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13494690#comment-13494690
] 

Allen Wittenauer commented on HADOOP-9019:
------------------------------------------

I seem to recall that using IP addresses in principals was a big no-no since many clients
will do a reverse lookup as part of the validation sequence.  (This is why one of the most
effective ways to break Kerberos is via DNS MITM attacks.)  In other words, using FQDN here
is more of a Kerberos thing than a Hadoop thing.
                
> KerberosAuthenticator.doSpnegoSequence(..) should create a HTTP principal with hostname
everytime 
> --------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-9019
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9019
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: Vinay
>
> in KerberosAuthenticator.doSpnegoSequence(..) following line of code will just create
a principal of the form "HTTP/<host>",
> {code}            String servicePrincipal = KerberosUtil.getServicePrincipal("HTTP",
>                 KerberosAuthenticator.this.url.getHost());{code}
>  but uri.getHost() is not sure of always getting hostname. If uri contains IP, then it
just returns IP.
> For SPNEGO authentication principal should always be created with <hostname>.
> This code should be something like this, which will look /etc/hosts to get hostname
> {code}            String hostname = InetAddress.getByName(
>                 KerberosAuthenticator.this.url.getHost()).getHostName();
> String servicePrincipal = KerberosUtil.getServicePrincipal("HTTP",
>                 hostname);{code}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message