hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alejandro Abdelnur (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-9868) Server must not advertise kerberos realm
Date Tue, 13 Aug 2013 15:29:48 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-9868?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13738362#comment-13738362
] 

Alejandro Abdelnur commented on HADOOP-9868:
--------------------------------------------

[~daryn], I'm a bit puzzled by this HADOOP-9789. While I understand the reasoning for it,
doesn't that weaken security? An impersonator can publish an alternate principal for which
it has a keytab for. 
                
> Server must not advertise kerberos realm
> ----------------------------------------
>
>                 Key: HADOOP-9868
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9868
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: ipc
>    Affects Versions: 3.0.0, 2.1.1-beta
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>            Priority: Blocker
>         Attachments: HADOOP-9868.patch
>
>
> HADOOP-9789 broke kerberos authentication by making the RPC server advertise the kerberos
service principal realm.  SASL clients and servers do not support specifying a realm, so it
must be removed from the advertisement.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message