[
https://issues.apache.org/jira/browse/HADOOP-14146?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daryn Sharp updated HADOOP-14146:
---------------------------------
Attachment: HADOOP-14146.patch
In earlier jiras, I attempted to support multiple hostnames and cnames via use
of the http host header. Then I had to always canonicalize to support cnames.
Community added additional support for multiple realms.
While testing EZ, it was discovered that either the jdk or AuthenticatedURL
isn't canonicalizing cnames as expected. Rather than add more hackery, let's
just extract the SPN from the AP-REQ. This patch uses a minimal DER parser to
do that.
Removed a bunch of unnecessary code to manage login contexts and spn mappings.
JDK7 added a KeyTab instance that can be bound to a specific SPN or unbound for
any valid SPN in the keytab. Adding this object to the Subject is sufficient.
Combined with SPN extraction, the server can authenticate against any SPN in
the keytab (if it's unbound).
> KerberosAuthenticationHandler should authenticate with SPN in AP-REQ
> --------------------------------------------------------------------
>
> Key: HADOOP-14146
> URL: https://issues.apache.org/jira/browse/HADOOP-14146
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.5.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Attachments: HADOOP-14146.patch
>
>
> Many attempts (HADOOP-10158, HADOOP-11628, HADOOP-13565) have tried to add
> multiple SPN host and/or realm support to spnego authentication. The basic
> problem is the server tries to guess and/or brute force what SPN the client
> used. The server should just decode the SPN from the AP-REQ.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
