hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Matt Foley (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-12617) SPNEGO authentication request to non-default realm gets default realm name inserted in target server principal
Date Sun, 06 Dec 2015 22:24:10 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-12617?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15044180#comment-15044180
] 

Matt Foley commented on HADOOP-12617:
-------------------------------------

The proposed patch provides the required functionality with no changes to API signatures or
exceptions, and following the model of other code in KerberosUtils.java.

Furthermore, I grepped all java files in a broad set of Hadoop ecosystem components:
* accumulo, atlas, calcite, datafu, falcon, flume, hadoop, hbase, hive, hue, kafka, knox,
mahout, oozie, phoenix, pig, ranger, slider, spark, sqoop, storm, tez, zookeeper

and found that no code calls KerberosUtils.getServicePrincipal() directly except that in the
Hadoop auth package.  Both instances there use the result ONLY as an argument for an immediate
call to gssManager.createName(), which accepts the fully qualified principal and does the
right thing with it.  So I believe this patch is safe.

> SPNEGO authentication request to non-default realm gets default realm name inserted in
target server principal
> --------------------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-12617
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12617
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.7.1
>         Environment: Java client talking to two secure clusters in different Kerberos
realms,
> or talking to any secure cluster in non-default realm
>            Reporter: Matt Foley
>            Assignee: Matt Foley
>
> Note: This is NOT a vulnerability.
> In order for a single Java client to communicate with two different secure clusters in
different realms (only one of which can be the "default_realm"), the client's krb5.conf file
must specify both realms, and provide a \[domain_realm\] section that maps cluster servers'
domains to the correct realms.  With other appropriate behaviors (such as using the config
from each cluster to talk to the respective clusters, and a user principal from each realm
to talk to the respective realms), this is sufficient for most Hadoop ecosystem clients. 

> But our SPNEGO using clients, such as Oozie, have a bug when it comes to talking to a
non-default realm.  The default realm name gets incorrectly inserted into the construction
of the target server principal for the non-default-realm cluster.  Details and proposed solution
are given in the first comments below.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message