[jira] [Commented] (HADOOP-12617) SPNEGO authentication request to non-default realm gets default realm name inserted in target server principal

Tue, 08 Dec 2015 16:26:35 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-12617?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15047768#comment-15047768
 ] 

Matt Foley commented on HADOOP-12617:
-------------------------------------

Happily, the spurious asflicense check went away.  Also, I ran an IBM Java SDK 
(version 8.0) on a Linux CentOS 6 VM, and established that the correct fully 
qualified class name for PrincipalName is 
"com.ibm.security.krb5.PrincipalName", not 
"com.ibm.security.krb5.internal.PrincipalName".  With the corrected path, it 
works as expected.  So I'm uploading one more version of the patchfile, 
HADOOP-12617.008.patch, with that correction, but there's no need to run the 
robot again.

Committing underway.

> SPNEGO authentication request to non-default realm gets default realm name 
> inserted in target server principal
> --------------------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-12617
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12617
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.7.1
>         Environment: Java client talking to two secure clusters in different 
> Kerberos realms,
> or talking to any secure cluster in non-default realm
>            Reporter: Matt Foley
>            Assignee: Matt Foley
>         Attachments: HADOOP-12617-branch-2.7.001.patch, 
> HADOOP-12617-branch-2.7.002.patch, HADOOP-12617.003.patch, 
> HADOOP-12617.005.patch, HADOOP-12617.006.patch, HADOOP-12617.007.patch
>
>
> Note: This is NOT a vulnerability.
> In order for a single Java client to communicate with two different secure 
> clusters in different realms (only one of which can be the "default_realm"), 
> the client's krb5.conf file must specify both realms, and provide a 
> \[domain_realm\] section that maps cluster servers' domains to the correct 
> realms.  With other appropriate behaviors (such as using the config from each 
> cluster to talk to the respective clusters, and a user principal from each 
> realm to talk to the respective realms), this is sufficient for most Hadoop 
> ecosystem clients.  
> But our SPNEGO using clients, such as Oozie, have a bug when it comes to 
> talking to a non-default realm.  The default realm name gets incorrectly 
> inserted into the construction of the target server principal for the 
> non-default-realm cluster.  Details and proposed solution are given in the 
> first comments below.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to