[
https://issues.apache.org/jira/browse/HADOOP-14146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15947611#comment-15947611
]
Daryn Sharp commented on HADOOP-14146:
--------------------------------------
Based on your suggestion, I looked at the kerby code again. It's much more
expensive in both computation and object allocation rates, the latter of which
we definitely don't need. My goal is an extremely lightweight and minimal
decode since the gssmanager is subsequently going to do a full decode.
I did testing with AD and the unit tests use mini-kdc issued tickets. I
wouldn't be too worried about kdcs though. Service tickets are an ancient and
well-defined RFC format. The JDK very rigidly follows it and makes assumptions
of DER tag ordering (it'll incidentally blow up if it assumed wrong), whereas
I'm being more correct in looking up & verifying DER tags.
> KerberosAuthenticationHandler should authenticate with SPN in AP-REQ
> --------------------------------------------------------------------
>
> Key: HADOOP-14146
> URL: https://issues.apache.org/jira/browse/HADOOP-14146
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.5.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Attachments: HADOOP-14146.1.patch, HADOOP-14146.patch
>
>
> Many attempts (HADOOP-10158, HADOOP-11628, HADOOP-13565) have tried to add
> multiple SPN host and/or realm support to spnego authentication. The basic
> problem is the server tries to guess and/or brute force what SPN the client
> used. The server should just decode the SPN from the AP-REQ.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
