hadoop-hdfs-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Xiaoyu Yao (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HDFS-10818) KerberosAuthenticationHandler#authenticate should not rebuild SPN based on client request
Date Tue, 30 Aug 2016 22:19:21 GMT
Xiaoyu Yao created HDFS-10818:

             Summary: KerberosAuthenticationHandler#authenticate should not rebuild SPN based
on client request
                 Key: HDFS-10818
                 URL: https://issues.apache.org/jira/browse/HDFS-10818
             Project: Hadoop HDFS
          Issue Type: Bug
            Reporter: Xiaoyu Yao
            Assignee: Xiaoyu Yao

In KerberosAuthenticationHandler#authenticate, we use canonicalized server name derived from
HTTP request to build server SPN and authenticate client. This can be problematic if the HTTP
client/server are running from a non-local Kerberos realm that the local realm has trust with
(e.g., NN UI).

For example, 
The server is running its HTTP endpoint using SPN from the client realm:

When client sends request to namenode at example.com@EXAMPLE.COM with http://NN.example.com:50070
from somehost.test.com@TEST.COM.

The client talks to KDC first and gets a service ticket HTTP/NN1.example.com/TEST.COM to authenticate
with the server via SPNEGO negotiation. 

The authentication will end up with either no valid credential error or checksum failure depending
on the HTTP client naming resolution or HTTP header of Host specified by the browser. 

The root cause is KerberosUtil.getServicePrincipal("HTTP", serverName)}} will return a SPN
with local realm (HTTP/NN.example.com@EXAMPLE.COM)  no matter the server login SPN is from
that domain or not. 

The proposed fix is to change to use default server login principle (by passing null as the
1st parameter to gssManager.createCredential()) instead. This way we avoid dependency on HTTP
client behavior (Host header or name resolution like CNAME) or assumption on the local realm.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: hdfs-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-dev-help@hadoop.apache.org

View raw message