[
https://issues.apache.org/jira/browse/HADOOP-16214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16814831#comment-16814831
]
Eric Yang commented on HADOOP-16214:
------------------------------------
[~daryn] {quote}By design, the regexp previously rejected those 2 invalid use
cases. It's not a regression. How is it relevant to this jira?{quote}
The bad data input matches your proposed regex and also previous faulty regex.
It does not do additional check for @ in components part of the string after
regex matches. The interpretation of how auth_to_local works in Hadoop is
flawed, and this was hidden by exposing only $0..$2 as regex group index, but
it is still vulnerable to program try to manipulate bad input strings. The
fault regex let $2=="" slip through, also a/@[email protected] end up with:
[email protected].
MIT auth_to_local is non-bias toward parsing UPN or SPN. MIT Kerberos focus on
knowing number of components in the principal, and which group index to replace
aname with lname.
{quote}The proposed patch seems to meet the needs of Issac and should have no
objectionable semantic parsing changes?{quote}
The parsing by JDK's own KerberosPrincipal give confidence that the input is
accurate. The parser changed to MIT Kerberos technique to map aname to lname.
Fortunately, existing Hadoop auth_to_local rules does not need to change.
> Kerberos name implementation in Hadoop does not accept principals with more
> than two components
> -----------------------------------------------------------------------------------------------
>
> Key: HADOOP-16214
> URL: https://issues.apache.org/jira/browse/HADOOP-16214
> Project: Hadoop Common
> Issue Type: Bug
> Components: auth
> Reporter: Issac Buenrostro
> Priority: Major
> Attachments: HADOOP-16214.001.patch, HADOOP-16214.002.patch,
> HADOOP-16214.003.patch, HADOOP-16214.004.patch, HADOOP-16214.005.patch,
> HADOOP-16214.006.patch, HADOOP-16214.007.patch, HADOOP-16214.008.patch,
> HADOOP-16214.009.patch
>
>
> org.apache.hadoop.security.authentication.util.KerberosName is in charge of
> converting a Kerberos principal to a user name in Hadoop for all of the
> services requiring authentication.
> Although the Kerberos spec
> ([https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html])
> allows for an arbitrary number of components in the principal, the Hadoop
> implementation will throw a "Malformed Kerberos name:" error if the principal
> has more than two components (because the regex can only read serviceName and
> hostName).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
