From common-issues-return-39960-apmail-hadoop-common-issues-archive=hadoop.apache.org@hadoop.apache.org Sat Nov 10 13:53:14 2012 Return-Path: X-Original-To: apmail-hadoop-common-issues-archive@minotaur.apache.org Delivered-To: apmail-hadoop-common-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 0F17BDDD8 for ; Sat, 10 Nov 2012 13:53:14 +0000 (UTC) Received: (qmail 48065 invoked by uid 500); 10 Nov 2012 13:53:13 -0000 Delivered-To: apmail-hadoop-common-issues-archive@hadoop.apache.org Received: (qmail 47971 invoked by uid 500); 10 Nov 2012 13:53:13 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: common-issues@hadoop.apache.org Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 47922 invoked by uid 99); 10 Nov 2012 13:53:13 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 10 Nov 2012 13:53:13 +0000 Date: Sat, 10 Nov 2012 13:53:12 +0000 (UTC) From: "Allen Wittenauer (JIRA)" To: common-issues@hadoop.apache.org Message-ID: <185276677.96419.1352555593037.JavaMail.jiratomcat@arcas> In-Reply-To: <649746498.86060.1352364612349.JavaMail.jiratomcat@arcas> Subject: [jira] [Commented] (HADOOP-9019) KerberosAuthenticator.doSpnegoSequence(..) should create a HTTP principal with hostname everytime MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HADOOP-9019?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13494690#comment-13494690 ] Allen Wittenauer commented on HADOOP-9019: ------------------------------------------ I seem to recall that using IP addresses in principals was a big no-no since many clients will do a reverse lookup as part of the validation sequence. (This is why one of the most effective ways to break Kerberos is via DNS MITM attacks.) In other words, using FQDN here is more of a Kerberos thing than a Hadoop thing. > KerberosAuthenticator.doSpnegoSequence(..) should create a HTTP principal with hostname everytime > -------------------------------------------------------------------------------------------------- > > Key: HADOOP-9019 > URL: https://issues.apache.org/jira/browse/HADOOP-9019 > Project: Hadoop Common > Issue Type: Bug > Reporter: Vinay > > in KerberosAuthenticator.doSpnegoSequence(..) following line of code will just create a principal of the form "HTTP/", > {code} String servicePrincipal = KerberosUtil.getServicePrincipal("HTTP", > KerberosAuthenticator.this.url.getHost());{code} > but uri.getHost() is not sure of always getting hostname. If uri contains IP, then it just returns IP. > For SPNEGO authentication principal should always be created with . > This code should be something like this, which will look /etc/hosts to get hostname > {code} String hostname = InetAddress.getByName( > KerberosAuthenticator.this.url.getHost()).getHostName(); > String servicePrincipal = KerberosUtil.getServicePrincipal("HTTP", > hostname);{code} -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira