[
https://issues.apache.org/jira/browse/HADOOP-14146?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daryn Sharp updated HADOOP-14146:
---------------------------------
Attachment: HADOOP-14146.3.patch
[~drankye], thanks for your time!
# Added OID suffix.
# Changed exception message.
# The login module's main purpose is obtaining a TGT which initiators/clients
require. Acceptor services only need the secrets in the keytab. The
{{Keytab}} instance automatically loads the secrets.
# I'm not sure I understand the first part.
#* There's no need to pre-check for a keytab in the subject because the
authenticator created an empty subject.
#* Java's GSS implementations used in SASL and SPNEGO automatically look for a
keytab instance.
# While perhaps a good idea, it's unrelated to this patch and more suitable for
another jira if someone wants to do it.
> KerberosAuthenticationHandler should authenticate with SPN in AP-REQ
> --------------------------------------------------------------------
>
> Key: HADOOP-14146
> URL: https://issues.apache.org/jira/browse/HADOOP-14146
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.5.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Attachments: HADOOP-14146.1.patch, HADOOP-14146.2.patch,
> HADOOP-14146.3.patch, HADOOP-14146.patch
>
>
> Many attempts (HADOOP-10158, HADOOP-11628, HADOOP-13565) have tried to add
> multiple SPN host and/or realm support to spnego authentication. The basic
> problem is the server tries to guess and/or brute force what SPN the client
> used. The server should just decode the SPN from the AP-REQ.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
