hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alejandro Abdelnur (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10158) SPNEGO should work with multiple interfaces/SPNs.
Date Mon, 03 Feb 2014 17:50:10 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10158?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13889675#comment-13889675
] 

Alejandro Abdelnur commented on HADOOP-10158:
---------------------------------------------

KerberosAuthenticationHandler.java:

* loginPrincipal(), it seems it is not considering the case of a 'HTTP@REALM' principal and
it would assume it is correct.

* getLoginForHost():

{code}
        SpnegoLogin newLogin = new SpnegoLogin(principal);
        spnegoLogin = logins.putIfAbsent(host, newLogin);
        if (spnegoLogin == null) {
          spnegoLogin = newLogin;
        }
        spnegoLogin.login(keytab);
{code}

We should add a comment on the spnegoLogin.login(keytab) invocation that in the case of a
race condition the second login attempt is a NOP.

KerberosUtil.java:

* getRealmForHost(), typo s/retun/return/. Please add an 'IMPORTANT:’ comment here explaining
we are tapping into implementation specific methods of the Oracle and IBM JDKs, it may break
in other JDKs or in future versions, and it may blow if a SecurityManager is in place.


> SPNEGO should work with multiple interfaces/SPNs.
> -------------------------------------------------
>
>                 Key: HADOOP-10158
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10158
>             Project: Hadoop Common
>          Issue Type: Bug
>    Affects Versions: 2.2.0
>            Reporter: Kihwal Lee
>            Assignee: Daryn Sharp
>            Priority: Critical
>         Attachments: HADOOP-10158-readkeytab.patch, HADOOP-10158-readkeytab.patch, HADOOP-10158.patch,
HADOOP-10158.patch, HADOOP-10158_multiplerealms.patch, HADOOP-10158_multiplerealms.patch,
HADOOP-10158_multiplerealms.patch
>
>
> This is the list of internal servlets added by namenode.
> | Name | Auth | Need to be accessible by end users |
> | StartupProgressServlet | none | no |
> | GetDelegationTokenServlet | internal SPNEGO | yes |
> | RenewDelegationTokenServlet | internal SPNEGO | yes |
> |  CancelDelegationTokenServlet | internal SPNEGO | yes |
> |  FsckServlet | internal SPNEGO | yes |
> |  GetImageServlet | internal SPNEGO | no |
> |  ListPathsServlet | token in query | yes |
> |  FileDataServlet | token in query | yes |
> |  FileChecksumServlets | token in query | yes |
> | ContentSummaryServlet | token in query | yes |
> GetDelegationTokenServlet, RenewDelegationTokenServlet, CancelDelegationTokenServlet
and FsckServlet are accessed by end users, but hard-coded to use the internal SPNEGO filter.
> If a name node HTTP server binds to multiple external IP addresses, the internal SPNEGO
service principal name may not work with an address to which end users are connecting.  The
current SPNEGO implementation in Hadoop is limited to use a single service principal per filter.
> If the underlying hadoop kerberos authentication handler cannot easily be modified, we
can at least create a separate auth filter for the end-user facing servlets so that their
service principals can be independently configured. If not defined, it should fall back to
the current behavior.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message