zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andor Molnar (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (ZOOKEEPER-3156) ZOOKEEPER-2184 causes kerberos principal to not have resolved host name
Date Wed, 26 Sep 2018 20:14:00 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-3156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16629340#comment-16629340
] 

Andor Molnar edited comment on ZOOKEEPER-3156 at 9/26/18 8:13 PM:
------------------------------------------------------------------

We should use getCanonicalHostName() to force reverse ip lookup and get the FQDN of the server
according to this javadoc:
https://docs.oracle.com/javase/7/docs/api/java/net/InetAddress.html#getCanonicalHostName()

Introducing a switch to enable reverse dns lookups would be inline with Kerberos client behaviour:
http://web.mit.edu/kerberos/krb5-current/doc/admin/princ_dns.html

In the krb5 client you can disable canonicalization with rdns=false setting.

I can put together a patch tomorrow if needed.


was (Author: andorm):
We should use getCanonicalHostName() to force reverse ip lookup and get the FQDN of the server
according to this javadoc:
https://docs.oracle.com/javase/7/docs/api/java/net/InetAddress.html#getCanonicalHostName()

Introducing a switch to enable reverse dns lookups would be inline with Kerberos client behaviour:
http://web.mit.edu/kerberos/krb5-current/doc/admin/princ_dns.html

In the krb5 client you can disable canonicalization with rdns=false setting.

> ZOOKEEPER-2184 causes kerberos principal to not have resolved host name
> -----------------------------------------------------------------------
>
>                 Key: ZOOKEEPER-3156
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3156
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: java client
>    Affects Versions: 3.6.0, 3.4.13, 3.5.5
>            Reporter: Robert Joseph Evans
>            Assignee: Robert Joseph Evans
>            Priority: Blocker
>
> Prior to ZOOKEEPER-2184 the zookeeper client would canonicalize a configured host name
before creating the SASL client which is used to create the principal name.  After ZOOKEEPER-2184
that canonicalization does not happen so the principal that the ZK client tries to use when
it is configured to talk to a CName is different between 3.4.13 and all previous versions
of ZK.
>  
> For example
>  
> zk1.mycluster.mycompany.com maps to real-node.mycompany.com.
>  
> 3.4.13 will want the server to have [zookeeper/zk1.mycluster.com@KDC.MYCOMPANY.COM|mailto:zookeeper/zk1.mycluster.com@KDC.MYCOMPANY.COM]
> 3.4.12 wants the server to have [zookeeper/real-node.mycompany.com@KDC.MYCOMPANY.COM|mailto:zookeeper/real-node.mycompany.com@KDC.MYCOMPANY.COM]
>  
> This makes 3.4.13 incompatible with many ZK setups currently in existence.  It would
be nice to have that resolution be optional because in some cases it might be nice to have
a single principal tied to the cname.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message