[
https://issues.apache.org/jira/browse/HADOOP-14146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16040025#comment-16040025
]
Kai Zheng commented on HADOOP-14146:
------------------------------------
In addition to above comments, some more:
1. Ref. below, NT_GSS_KRB5_PRINCIPAL could be NT_GSS_KRB5_PRINCIPAL_OID.
{code}
+ public static final Oid GSS_SPNEGO_MECH_OID =
+ getNumericOidInstance("1.3.6.1.5.5.2");
+ public static final Oid GSS_KRB5_MECH_OID =
+ getNumericOidInstance("1.2.840.113554.1.2.2");
+ public static final Oid NT_GSS_KRB5_PRINCIPAL =
+ getNumericOidInstance("1.2.840.113554.1.2.2.1");
{code}
2. Ref. below, the message would be more specific like "Invalid server
principal {} decoded from client request".
{code}
+ final String serverPrincipal =
+ KerberosUtil.getTokenServerName(clientToken);
+ if (!serverPrincipal.startsWith("HTTP/")) {
+ throw new IllegalArgumentException(
+ "Invalid server principal: " + serverPrincipal);
+ }
{code}
3. You get rid of the login check for each HTTP server principal listed in the
keytab, instead, you put them into the server subject directly or manually. Is
it possible a server principal expired or invalid at the time?
{code}
- for (String spnegoPrincipal : spnegoPrincipals) {
- LOG.info("Login using keytab {}, for principal {}",
- keytab, spnegoPrincipal);
- final KerberosConfiguration kerberosConfiguration =
- new KerberosConfiguration(keytab, spnegoPrincipal);
- final LoginContext loginContext =
- new LoginContext("", serverSubject, null, kerberosConfiguration);
- try {
- loginContext.login();
- } catch (LoginException le) {
- LOG.warn("Failed to login as [{}]", spnegoPrincipal, le);
- throw new AuthenticationException(le);
- }
- loginContexts.add(loginContext);
{code}
4. Besides you might want to call {{KerberosUtil.hasKerberosKeyTab}} with the
placed keytab instance in the subject, wonder how the instance would be used in
the subsequent SPNEGO authenticating to the client token. Could you help
explain some bit for me or as comment for the code? Thanks!
{code}
+ KeyTab keytabInstance = KeyTab.getInstance(keytabFile);
+ serverSubject.getPrivateCredentials().add(keytabInstance);
{code}
5. Is is a good chance to move the follow block to somewhere like
{{KerberosUtil}}?
{code}
/* Return the OS login module class name */
private static String getOSLoginModuleName() {
if (IBM_JAVA) {
if (windows) {
return is64Bit ? "com.ibm.security.auth.module.Win64LoginModule"
: "com.ibm.security.auth.module.NTLoginModule";
} else if (aix) {
return is64Bit ? "com.ibm.security.auth.module.AIX64LoginModule"
: "com.ibm.security.auth.module.AIXLoginModule";
} else {
return "com.ibm.security.auth.module.LinuxLoginModule";
}
} else {
return windows ? "com.sun.security.auth.module.NTLoginModule"
: "com.sun.security.auth.module.UnixLoginModule";
}
}
{code}
> KerberosAuthenticationHandler should authenticate with SPN in AP-REQ
> --------------------------------------------------------------------
>
> Key: HADOOP-14146
> URL: https://issues.apache.org/jira/browse/HADOOP-14146
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.5.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Attachments: HADOOP-14146.1.patch, HADOOP-14146.2.patch,
> HADOOP-14146.patch
>
>
> Many attempts (HADOOP-10158, HADOOP-11628, HADOOP-13565) have tried to add
> multiple SPN host and/or realm support to spnego authentication. The basic
> problem is the server tries to guess and/or brute force what SPN the client
> used. The server should just decode the SPN from the AP-REQ.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
