Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id C5794200B80 for ; Wed, 31 Aug 2016 00:19:23 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id C3E85160ABA; Tue, 30 Aug 2016 22:19:23 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 18CAD160AC5 for ; Wed, 31 Aug 2016 00:19:22 +0200 (CEST) Received: (qmail 46491 invoked by uid 500); 30 Aug 2016 22:19:21 -0000 Mailing-List: contact hdfs-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list hdfs-issues@hadoop.apache.org Received: (qmail 46468 invoked by uid 99); 30 Aug 2016 22:19:21 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 30 Aug 2016 22:19:21 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id 4FC872C1B77 for ; Tue, 30 Aug 2016 22:19:21 +0000 (UTC) Date: Tue, 30 Aug 2016 22:19:21 +0000 (UTC) From: "Xiaoyu Yao (JIRA)" To: hdfs-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Created] (HDFS-10818) KerberosAuthenticationHandler#authenticate should not rebuild SPN based on client request MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Tue, 30 Aug 2016 22:19:24 -0000 Xiaoyu Yao created HDFS-10818: --------------------------------- Summary: KerberosAuthenticationHandler#authenticate should not rebuild SPN based on client request Key: HDFS-10818 URL: https://issues.apache.org/jira/browse/HDFS-10818 Project: Hadoop HDFS Issue Type: Bug Reporter: Xiaoyu Yao Assignee: Xiaoyu Yao In KerberosAuthenticationHandler#authenticate, we use canonicalized server name derived from HTTP request to build server SPN and authenticate client. This can be problematic if the HTTP client/server are running from a non-local Kerberos realm that the local realm has trust with (e.g., NN UI). For example, The server is running its HTTP endpoint using SPN from the client realm: hadoop.http.authentication.kerberos.principal HTTP/_HOST/TEST.COM When client sends request to namenode at example.com@EXAMPLE.COM with http://NN.example.com:50070 from somehost.test.com@TEST.COM. The client talks to KDC first and gets a service ticket HTTP/NN1.example.com/TEST.COM to authenticate with the server via SPNEGO negotiation. The authentication will end up with either no valid credential error or checksum failure depending on the HTTP client naming resolution or HTTP header of Host specified by the browser. The root cause is KerberosUtil.getServicePrincipal("HTTP", serverName)}} will return a SPN with local realm (HTTP/NN.example.com@EXAMPLE.COM) no matter the server login SPN is from that domain or not. The proposed fix is to change to use default server login principle (by passing null as the 1st parameter to gssManager.createCredential()) instead. This way we avoid dependency on HTTP client behavior (Host header or name resolution like CNAME) or assumption on the local realm. -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: hdfs-issues-unsubscribe@hadoop.apache.org For additional commands, e-mail: hdfs-issues-help@hadoop.apache.org