hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alejandro Abdelnur (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-9868) Server must not advertise kerberos realm
Date Tue, 13 Aug 2013 15:29:48 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-9868?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13738362#comment-13738362

Alejandro Abdelnur commented on HADOOP-9868:

[~daryn], I'm a bit puzzled by this HADOOP-9789. While I understand the reasoning for it,
doesn't that weaken security? An impersonator can publish an alternate principal for which
it has a keytab for. 
> Server must not advertise kerberos realm
> ----------------------------------------
>                 Key: HADOOP-9868
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9868
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: ipc
>    Affects Versions: 3.0.0, 2.1.1-beta
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>            Priority: Blocker
>         Attachments: HADOOP-9868.patch
> HADOOP-9789 broke kerberos authentication by making the RPC server advertise the kerberos
service principal realm.  SASL clients and servers do not support specifying a realm, so it
must be removed from the advertisement.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

View raw message