Repository: kudu Updated Branches: refs/heads/master f65feff68 -> 45548c90c
KUDU-1897: disable Kerberos replay cache Change-Id: Ifbce55a0b12682fdf69e7b2c361c6336495db64d Reviewed-on: http://gerrit.cloudera.org:8080/6254 Reviewed-by: Todd Lipcon <[email protected]> Tested-by: Kudu Jenkins Project: http://git-wip-us.apache.org/repos/asf/kudu/repo Commit: http://git-wip-us.apache.org/repos/asf/kudu/commit/45548c90 Tree: http://git-wip-us.apache.org/repos/asf/kudu/tree/45548c90 Diff: http://git-wip-us.apache.org/repos/asf/kudu/diff/45548c90 Branch: refs/heads/master Commit: 45548c90c788b6e482ceaa12789eaa2789232efc Parents: f65feff Author: Dan Burkert <[email protected]> Authored: Thu Mar 2 15:59:30 2017 -0800 Committer: Dan Burkert <[email protected]> Committed: Mon Mar 6 22:45:30 2017 +0000 ---------------------------------------------------------------------- src/kudu/security/init.cc | 6 ++++++ 1 file changed, 6 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/kudu/blob/45548c90/src/kudu/security/init.cc ---------------------------------------------------------------------- diff --git a/src/kudu/security/init.cc b/src/kudu/security/init.cc index f235eed..fb27f40 100644 --- a/src/kudu/security/init.cc +++ b/src/kudu/security/init.cc @@ -464,6 +464,12 @@ Status InitKerberosForServer() { setenv("KRB5CCNAME", "MEMORY:kudu", 1); setenv("KRB5_KTNAME", FLAGS_keytab_file.c_str(), 1); + // KUDU-1897: disable the Kerberos replay cache. The KRPC protocol includes a + // per-connection server-generated nonce to protect against replay attacks + // when authenticating via Kerberos. The replay cache has many performance and + // implementation issues. + setenv("KRB5RCACHETYPE", "none", 1); + g_kinit_ctx = new KinitContext(); string principal; RETURN_NOT_OK(GetConfiguredPrincipal(&principal));
