Return-Path: <common-issues-return-129784-archive-asf-public=cust-asf.ponee.io@hadoop.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 4831B200C46
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Wed, 29 Mar 2017 20:00:50 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 469EE160B5D; Wed, 29 Mar 2017 18:00:50 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 8BD32160B95
	for <archive-asf-public@cust-asf.ponee.io>; Wed, 29 Mar 2017 20:00:49 +0200 (CEST)
Received: (qmail 20614 invoked by uid 500); 29 Mar 2017 18:00:48 -0000
Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:common-issues-help@hadoop.apache.org>
List-Unsubscribe: <mailto:common-issues-unsubscribe@hadoop.apache.org>
List-Post: <mailto:common-issues@hadoop.apache.org>
List-Id: <common-issues.hadoop.apache.org>
Delivered-To: mailing list common-issues@hadoop.apache.org
Received: (qmail 20602 invoked by uid 99); 29 Mar 2017 18:00:48 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 29 Mar 2017 18:00:48 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 43A35C0027
	for <common-issues@hadoop.apache.org>; Wed, 29 Mar 2017 18:00:48 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -99.202
X-Spam-Level: 
X-Spam-Status: No, score=-99.202 tagged_above=-999 required=6.31
	tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001,
	SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled
Received: from mx1-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024)
	with ESMTP id Yqa4Hd-AAJPd for <common-issues@hadoop.apache.org>;
	Wed, 29 Mar 2017 18:00:47 +0000 (UTC)
Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139])
	by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 77B9F60CF7
	for <common-issues@hadoop.apache.org>; Wed, 29 Mar 2017 18:00:46 +0000 (UTC)
Received: from jira-lw-us.apache.org (unknown [207.244.88.139])
	by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 7980EE0AB0
	for <common-issues@hadoop.apache.org>; Wed, 29 Mar 2017 18:00:45 +0000 (UTC)
Received: from jira-lw-us.apache.org (localhost [127.0.0.1])
	by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 98EAB2417C
	for <common-issues@hadoop.apache.org>; Wed, 29 Mar 2017 18:00:44 +0000 (UTC)
Date: Wed, 29 Mar 2017 18:00:44 +0000 (UTC)
From: "Daryn Sharp (JIRA)" <jira@apache.org>
To: common-issues@hadoop.apache.org
Message-ID: <JIRA.13048200.1488579454000.156854.1490810444624@Atlassian.JIRA>
In-Reply-To: <JIRA.13048200.1488579454000@Atlassian.JIRA>
References: <JIRA.13048200.1488579454000@Atlassian.JIRA> <JIRA.13048200.1488579454777@jira-lw-us.apache.org>
Subject: [jira] [Commented] (HADOOP-14146) KerberosAuthenticationHandler
 should authenticate with SPN in AP-REQ
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Wed, 29 Mar 2017 18:00:50 -0000


    [ https://issues.apache.org/jira/browse/HADOOP-14146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15947611#comment-15947611 ] 

Daryn Sharp commented on HADOOP-14146:
--------------------------------------

Based on your suggestion, I looked at the kerby code again.  It's much more expensive in both computation and object allocation rates, the latter of which we definitely don't need.  My goal is an extremely lightweight and minimal decode since the gssmanager is subsequently going to do a full decode.

I did testing with AD and the unit tests use mini-kdc issued tickets.  I wouldn't be too worried about kdcs though.  Service tickets are an ancient and well-defined RFC format.  The JDK very rigidly follows it and makes assumptions of DER tag ordering (it'll incidentally blow up if it assumed wrong), whereas I'm being more correct in looking up & verifying DER tags.


> KerberosAuthenticationHandler should authenticate with SPN in AP-REQ
> --------------------------------------------------------------------
>
>                 Key: HADOOP-14146
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14146
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.5.0
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>         Attachments: HADOOP-14146.1.patch, HADOOP-14146.patch
>
>
> Many attempts (HADOOP-10158, HADOOP-11628, HADOOP-13565) have tried to add multiple SPN host and/or realm support to spnego authentication.  The basic problem is the server tries to guess and/or brute force what SPN the client used.  The server should just decode the SPN from the AP-REQ.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org