hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryn Sharp (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-14146) KerberosAuthenticationHandler should authenticate with SPN in AP-REQ
Date Wed, 29 Mar 2017 18:00:44 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-14146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15947611#comment-15947611

Daryn Sharp commented on HADOOP-14146:

Based on your suggestion, I looked at the kerby code again.  It's much more expensive in both
computation and object allocation rates, the latter of which we definitely don't need.  My
goal is an extremely lightweight and minimal decode since the gssmanager is subsequently going
to do a full decode.

I did testing with AD and the unit tests use mini-kdc issued tickets.  I wouldn't be too worried
about kdcs though.  Service tickets are an ancient and well-defined RFC format.  The JDK very
rigidly follows it and makes assumptions of DER tag ordering (it'll incidentally blow up if
it assumed wrong), whereas I'm being more correct in looking up & verifying DER tags.

> KerberosAuthenticationHandler should authenticate with SPN in AP-REQ
> --------------------------------------------------------------------
>                 Key: HADOOP-14146
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14146
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.5.0
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>         Attachments: HADOOP-14146.1.patch, HADOOP-14146.patch
> Many attempts (HADOOP-10158, HADOOP-11628, HADOOP-13565) have tried to add multiple SPN
host and/or realm support to spnego authentication.  The basic problem is the server tries
to guess and/or brute force what SPN the client used.  The server should just decode the SPN
from the AP-REQ.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org

View raw message