zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "caixiaofeng (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-2858) Disable reverse DNS lookup for java client
Date Tue, 01 Aug 2017 03:45:00 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-2858?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16108337#comment-16108337
] 

caixiaofeng commented on ZOOKEEPER-2858:
----------------------------------------

 can also  http://docs.oracle.com/javase/7/docs/technotes/guides/net/properties.html

*sun.net.spi.nameservice.provider.<n>=<default|dns,sun|...>S*pecifies the name
service provider that you can use. By default, Java will use the system configured name lookup
mechanism, such as file, nis, etc. You can specify your own by setting this option. <n>
takes the value of a positive number, it indicates the precedence order with a small number
takes higher precendence over a bigger number. Aside from the default provider, the JDK includes
a DNS provider named "dns,sun".

Prior to JDK 7, the first provider that was successfully loaded was used. In JDK 7, providers
are chained, which means that if a lookup on a provider fails, the next provider in the list
is consulted to resolve the name.

> Disable reverse DNS lookup for java client
> ------------------------------------------
>
>                 Key: ZOOKEEPER-2858
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2858
>             Project: ZooKeeper
>          Issue Type: New Feature
>          Components: java client
>    Affects Versions: 3.4.6
>            Reporter: Andrey
>
> I have the following setup:
> - zookeeper server running in docker container
> - kerberos auth
> When client setup sasl connection it creates service principal name as:
> - "principalUserName+"/"+addr.getHostName()",
> where:
> - addr.getHostName is the reverse DNS of original server host.
> If zookeeper nodes will be deployed behind the firewall or software defined network (the
docker case), then reverse DNS host won't match original server host. And this is done by
design.
> If these hosts won't match, then principals won't match and Kerberos auth will fail.
> Is it possible to introduce some configuration parameter to disable reverse DNS lookups?



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message