[
https://issues.apache.org/jira/browse/HADOOP-16214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16819518#comment-16819518
]
Daryn Sharp commented on HADOOP-16214:
--------------------------------------
[~eyang]. You've lost all decorum and are conflating this Jira with the last
time you changed this code and I discovered a massive CVE. I will not bother
defending myself or patch against your word salad of false accusations and
ad-hominem attacks.
[~xkrogen], my patch is something I'd feel comfortable deploying because of the
compatibility. Here's what it does:
|| ||principal||serviceName||hostname||$0||$1||$2||$3||
| |daryn@REALM|daryn|(null) |REALM|daryn|
| |daryn/@REALM|INVALID|
| |daryn/host@REALM|daryn|host|REALM|daryn|host|
|new|daryn/host/admin@REALM|daryn|host|REALM|daryn|host|admin|
* Modify regexp to match n-many extra components
* DEFAULT rule will not match more than 2 components.
* Add your own rule to match these newly supported principals.
* Effectively nothing changes for current deployments.
––
Eric wants the service handled similar to below. I might have something
minority off but this patch has consumed too much time.
|| ||principal||serviceName||hostname||$0||$1||$2||$3||
| |daryn@REALM|daryn|(null)|REALM|daryn|
|regress|daryn/@REALM|daryn/|(null)|REALM|daryn| ""|
| |daryn/ipv4-host@REALM|daryn|ipv4-host|REALM|daryn|ipv4-host|
|regress|daryn/ipv6-host@REALM|daryn/ipv6-host|(null)|REALM|daryn|ipv6-host|
|new|daryn/host/admin@REALM|daryn/host/admin|(null)|REALM|daryn|host|admin|
* Unnecessarily rewrote parser.
* Regressions.
* Service is supposed to be the 1st component but now it becomes
context-sensitive which also adds regressions
* DEFAULT rule will unexpectedly match the new principals. It's effectively
the CVE again.
* Can't block the new principals if you don't want them.
* Existing behavior regresses, inconsistent new behavior, principals formerly
blocked are allowed through w/o action by the admin.
> Kerberos name implementation in Hadoop does not accept principals with more
> than two components
> -----------------------------------------------------------------------------------------------
>
> Key: HADOOP-16214
> URL: https://issues.apache.org/jira/browse/HADOOP-16214
> Project: Hadoop Common
> Issue Type: Bug
> Components: auth
> Reporter: Issac Buenrostro
> Priority: Major
> Attachments: HADOOP-16214.001.patch, HADOOP-16214.002.patch,
> HADOOP-16214.003.patch, HADOOP-16214.004.patch, HADOOP-16214.005.patch,
> HADOOP-16214.006.patch, HADOOP-16214.007.patch, HADOOP-16214.008.patch,
> HADOOP-16214.009.patch, HADOOP-16214.010.patch, HADOOP-16214.011.patch
>
>
> org.apache.hadoop.security.authentication.util.KerberosName is in charge of
> converting a Kerberos principal to a user name in Hadoop for all of the
> services requiring authentication.
> Although the Kerberos spec
> ([https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html])
> allows for an arbitrary number of components in the principal, the Hadoop
> implementation will throw a "Malformed Kerberos name:" error if the principal
> has more than two components (because the regex can only read serviceName and
> hostName).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
