kudu-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jdcry...@apache.org
Subject kudu git commit: KUDU-1897: disable Kerberos replay cache
Date Mon, 06 Mar 2017 23:59:06 GMT
Repository: kudu
Updated Branches:
  refs/heads/branch-1.3.x c8cbc8b5c -> dae253dab


KUDU-1897: disable Kerberos replay cache

Change-Id: Ifbce55a0b12682fdf69e7b2c361c6336495db64d
Reviewed-on: http://gerrit.cloudera.org:8080/6254
Reviewed-by: Todd Lipcon <todd@apache.org>
Tested-by: Kudu Jenkins
(cherry picked from commit 45548c90c788b6e482ceaa12789eaa2789232efc)
Reviewed-on: http://gerrit.cloudera.org:8080/6274


Project: http://git-wip-us.apache.org/repos/asf/kudu/repo
Commit: http://git-wip-us.apache.org/repos/asf/kudu/commit/dae253da
Tree: http://git-wip-us.apache.org/repos/asf/kudu/tree/dae253da
Diff: http://git-wip-us.apache.org/repos/asf/kudu/diff/dae253da

Branch: refs/heads/branch-1.3.x
Commit: dae253dab9ed300d91a07a407de147d03525bc3e
Parents: c8cbc8b
Author: Dan Burkert <danburkert@apache.org>
Authored: Thu Mar 2 15:59:30 2017 -0800
Committer: Jean-Daniel Cryans <jdcryans@apache.org>
Committed: Mon Mar 6 23:58:53 2017 +0000

----------------------------------------------------------------------
 src/kudu/security/init.cc | 6 ++++++
 1 file changed, 6 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/kudu/blob/dae253da/src/kudu/security/init.cc
----------------------------------------------------------------------
diff --git a/src/kudu/security/init.cc b/src/kudu/security/init.cc
index f235eed..fb27f40 100644
--- a/src/kudu/security/init.cc
+++ b/src/kudu/security/init.cc
@@ -464,6 +464,12 @@ Status InitKerberosForServer() {
   setenv("KRB5CCNAME", "MEMORY:kudu", 1);
   setenv("KRB5_KTNAME", FLAGS_keytab_file.c_str(), 1);
 
+  // KUDU-1897: disable the Kerberos replay cache. The KRPC protocol includes a
+  // per-connection server-generated nonce to protect against replay attacks
+  // when authenticating via Kerberos. The replay cache has many performance and
+  // implementation issues.
+  setenv("KRB5RCACHETYPE", "none", 1);
+
   g_kinit_ctx = new KinitContext();
   string principal;
   RETURN_NOT_OK(GetConfiguredPrincipal(&principal));


Mime
View raw message