[jira] [Commented] (HADOOP-7215) RPC clients must connect over a network interface corresponding to the host name in the client's kerberos principal key

Thu, 31 Mar 2011 11:47:49 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-7215?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13014137#comment-13014137
 ] 

Suresh Srinivas commented on HADOOP-7215:
-----------------------------------------

In that case, we have two choices:
# Fail at the client side:
#* If the client principal name does not have <part1>/<part2>@realm format, 
fail it at the client with appropriate error. 
#* If the format is right, treat part2 as host name. Just try to bind to it and 
if bind fails, then the failure occurs at the client it self with appropriate 
error. 

# Fail at the server side:
#* If the client principal name does not have <part1>/<part2>@realm format, 
bind to any local address for the request.
#* If the format is right, treat part2 as host name. If host name is a valid 
local address, bind to it else bind to any local address. This request will be 
rejected by the server.

I am leaning towards (2) because, server is rightly involved in the decision of 
rejecting the client. It provides a record of this at both the client and the 
server. This will help debugging on the server side, independent of client.

> RPC clients must connect over a network interface corresponding to the host 
> name in the client's kerberos principal key
> -----------------------------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-7215
>                 URL: https://issues.apache.org/jira/browse/HADOOP-7215
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>            Reporter: Suresh Srinivas
>            Assignee: Suresh Srinivas
>             Fix For: 0.20.203.0, 0.23.0
>
>         Attachments: HADOOP-7215.trunk.patch
>
>
> HDFS-7104 introduced a change where RPC server matches client's hostname with 
> the hostname specified in the client's Kerberos principal name. RPC client 
> binds the socket to a random local address, which might not match the 
> hostname specified in the principal name. This results authorization failure 
> of the client at the server.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to