[ https://issues.apache.org/jira/browse/HADOOP-16214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16819518#comment-16819518 ]
Daryn Sharp commented on HADOOP-16214: -------------------------------------- [~eyang]. You've lost all decorum and are conflating this Jira with the last time you changed this code and I discovered a massive CVE. I will not bother defending myself or patch against your word salad of false accusations and ad-hominem attacks. [~xkrogen], my patch is something I'd feel comfortable deploying because of the compatibility. Here's what it does: || ||principal||serviceName||hostname||$0||$1||$2||$3|| | |daryn@REALM|daryn|(null) |REALM|daryn| | |daryn/@REALM|INVALID| | |daryn/host@REALM|daryn|host|REALM|daryn|host| |new|daryn/host/admin@REALM|daryn|host|REALM|daryn|host|admin| * Modify regexp to match n-many extra components * DEFAULT rule will not match more than 2 components. * Add your own rule to match these newly supported principals. * Effectively nothing changes for current deployments. –– Eric wants the service handled similar to below. I might have something minority off but this patch has consumed too much time. || ||principal||serviceName||hostname||$0||$1||$2||$3|| | |daryn@REALM|daryn|(null)|REALM|daryn| |regress|daryn/@REALM|daryn/|(null)|REALM|daryn| ""| | |daryn/ipv4-host@REALM|daryn|ipv4-host|REALM|daryn|ipv4-host| |regress|daryn/ipv6-host@REALM|daryn/ipv6-host|(null)|REALM|daryn|ipv6-host| |new|daryn/host/admin@REALM|daryn/host/admin|(null)|REALM|daryn|host|admin| * Unnecessarily rewrote parser. * Regressions. * Service is supposed to be the 1st component but now it becomes context-sensitive which also adds regressions * DEFAULT rule will unexpectedly match the new principals. It's effectively the CVE again. * Can't block the new principals if you don't want them. * Existing behavior regresses, inconsistent new behavior, principals formerly blocked are allowed through w/o action by the admin. > Kerberos name implementation in Hadoop does not accept principals with more > than two components > ----------------------------------------------------------------------------------------------- > > Key: HADOOP-16214 > URL: https://issues.apache.org/jira/browse/HADOOP-16214 > Project: Hadoop Common > Issue Type: Bug > Components: auth > Reporter: Issac Buenrostro > Priority: Major > Attachments: HADOOP-16214.001.patch, HADOOP-16214.002.patch, > HADOOP-16214.003.patch, HADOOP-16214.004.patch, HADOOP-16214.005.patch, > HADOOP-16214.006.patch, HADOOP-16214.007.patch, HADOOP-16214.008.patch, > HADOOP-16214.009.patch, HADOOP-16214.010.patch, HADOOP-16214.011.patch > > > org.apache.hadoop.security.authentication.util.KerberosName is in charge of > converting a Kerberos principal to a user name in Hadoop for all of the > services requiring authentication. > Although the Kerberos spec > ([https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html]) > allows for an arbitrary number of components in the principal, the Hadoop > implementation will throw a "Malformed Kerberos name:" error if the principal > has more than two components (because the regex can only read serviceName and > hostName). -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org