Return-Path: <common-issues-return-123571-archive-asf-public=cust-asf.ponee.io@hadoop.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 4AD79200BE9
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Mon, 12 Dec 2016 03:51:00 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id 495E7160B2C; Mon, 12 Dec 2016 02:51:00 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 93379160B20
	for <archive-asf-public@cust-asf.ponee.io>; Mon, 12 Dec 2016 03:50:59 +0100 (CET)
Received: (qmail 98362 invoked by uid 500); 12 Dec 2016 02:50:58 -0000
Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:common-issues-help@hadoop.apache.org>
List-Unsubscribe: <mailto:common-issues-unsubscribe@hadoop.apache.org>
List-Post: <mailto:common-issues@hadoop.apache.org>
List-Id: <common-issues.hadoop.apache.org>
Delivered-To: mailing list common-issues@hadoop.apache.org
Received: (qmail 98342 invoked by uid 99); 12 Dec 2016 02:50:58 -0000
Received: from arcas.apache.org (HELO arcas) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 12 Dec 2016 02:50:58 +0000
Received: from arcas.apache.org (localhost [127.0.0.1])
	by arcas (Postfix) with ESMTP id 7202E2C03E5
	for <common-issues@hadoop.apache.org>; Mon, 12 Dec 2016 02:50:58 +0000 (UTC)
Date: Mon, 12 Dec 2016 02:50:58 +0000 (UTC)
From: "Akira Ajisaka (JIRA)" <jira@apache.org>
To: common-issues@hadoop.apache.org
Message-ID: <JIRA.13001495.1472595507000.494934.1481511058463@Atlassian.JIRA>
In-Reply-To: <JIRA.13001495.1472595507000@Atlassian.JIRA>
References: <JIRA.13001495.1472595507000@Atlassian.JIRA> <JIRA.13001495.1472595507776@arcas>
Subject: [jira] [Commented] (HADOOP-13565)
 KerberosAuthenticationHandler#authenticate should not rebuild SPN based on
 client request
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Mon, 12 Dec 2016 02:51:00 -0000


    [ https://issues.apache.org/jira/browse/HADOOP-13565?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15740797#comment-15740797 ] 

Akira Ajisaka commented on HADOOP-13565:
----------------------------------------

Hi [~xyao] and [~jnp], this commit broke HADOOP-13890. Could you check this?

> KerberosAuthenticationHandler#authenticate should not rebuild SPN based on client request
> -----------------------------------------------------------------------------------------
>
>                 Key: HADOOP-13565
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13565
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.5.0
>            Reporter: Xiaoyu Yao
>            Assignee: Xiaoyu Yao
>             Fix For: 2.8.0, 3.0.0-alpha2
>
>         Attachments: HADOOP-13565.00.patch, HADOOP-13565.01.patch, HADOOP-13565.02.patch, HADOOP-13565.03.patch
>
>
> In KerberosAuthenticationHandler#authenticate, we use canonicalized server name derived from HTTP request to build server SPN and authenticate client. This can be problematic if the HTTP client/server are running from a non-local Kerberos realm that the local realm has trust with (e.g., NN UI).
> For example, 
> The server is running its HTTP endpoint using SPN from the client realm:
> <name>hadoop.http.authentication.kerberos.principal</name>
> <value>HTTP/_HOST/TEST.COM</value>
> When client sends request to namenode at http://NN1.example.com:50070 from client.test.com@TEST.COM.
> The client talks to KDC first and gets a service ticket HTTP/NN1.example.com/TEST.COM to authenticate with the server via SPNEGO negotiation. 
> The authentication will end up with either no valid credential error or checksum failure depending on the HTTP client naming resolution or HTTP Host field from the request header provided by the browser. 
> The root cause is KerberosUtil.getServicePrincipal("HTTP", serverName)}} will always return a SPN with local realm (HTTP/NN.example.com@EXAMPLE.COM) no matter the server login SPN is from that domain or not. 
> The proposed fix is to change to use default server login principal (by passing null as the 1st parameter to gssManager.createCredential()) instead. This way we avoid dependency on HTTP client behavior (Host header or name resolution like CNAME) or assumption on the local realm. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org