[
https://issues.apache.org/jira/browse/HADOOP-16214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16813602#comment-16813602
]
Eric Yang commented on HADOOP-16214:
------------------------------------
[~daryn] KerberosName class is used for both parsing the service principal and
user principal. In addition, it is also used to store user/service identity
for non-Kerberos case.
{quote}Patch introduces #3 which violates the RFC.
HTTP – service=HTTP host=(null)
HTTP/abc.com – service=HTTP host=abc.com
HTTP/abc.com/admin – service=HTTP/abc.com/admin host=(null){quote}
For Kerberos security, 3 is RFC compliant because this is a user principal.
KerberosName class private variable serviceName is used to store both service
name and user name. Therefore, handling HTTP/abc.com/admin in serviceName is
correct to ensure the components can be parsed for auth_to_local mapping
regardless this is a service principal or user principal.
In simple security case, processing of serviceName does not follow RFC1510
defined guideline because it has no realm and does not apply Kerberos
auth_to_local rule. However, username may handle incorrectly by splitting by
"/" in Hadoop logic in the attempt to keep both simple security and kerberos
security look a like.
Malicious user can trick Hadoop into believing hdfs/myautogen/program as its
username and end up with hdfs access for simple security. This is the reason
that I chose to apply no processing of serviceName in simple security to
prevent Hadoop from processing incorrect username. I have no opinion if we go
with patch 8 because simple security is no security in practice.
I hope this clarifies the issues that we are dealing with, and [~daryn]'s
unfamiliarity with KerberosName class. His opinion above isn't sufficient to
propose the next step. Now we know how serviceName is used, please recheck the
code to see if we can move forward.
> Kerberos name implementation in Hadoop does not accept principals with more
> than two components
> -----------------------------------------------------------------------------------------------
>
> Key: HADOOP-16214
> URL: https://issues.apache.org/jira/browse/HADOOP-16214
> Project: Hadoop Common
> Issue Type: Bug
> Components: auth
> Reporter: Issac Buenrostro
> Priority: Major
> Attachments: HADOOP-16214.001.patch, HADOOP-16214.002.patch,
> HADOOP-16214.003.patch, HADOOP-16214.004.patch, HADOOP-16214.005.patch,
> HADOOP-16214.006.patch, HADOOP-16214.007.patch, HADOOP-16214.008.patch
>
>
> org.apache.hadoop.security.authentication.util.KerberosName is in charge of
> converting a Kerberos principal to a user name in Hadoop for all of the
> services requiring authentication.
> Although the Kerberos spec
> ([https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html])
> allows for an arbitrary number of components in the principal, the Hadoop
> implementation will throw a "Malformed Kerberos name:" error if the principal
> has more than two components (because the regex can only read serviceName and
> hostName).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
