[
https://issues.apache.org/jira/browse/HADOOP-16214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16827192#comment-16827192
]
Eric Yang edited comment on HADOOP-16214 at 4/26/19 6:36 PM:
-------------------------------------------------------------
[~ibuenros] {quote}Is it the case that adding more components to the principal
will prevent host specific principals to verify matching host?{quote}
Yes, this is the behavior of my patches and conforming to RFC1510 NT-SRV-XHST
pattern. Where Daryn's patch will exact hostname from component 2, if the
principal has more components, this allows the principal
<user>/<role1>/<role2>/<role3>/<role4>@<realm> to act as service principal.
Microsoft has recently added more format to [AD supported service principal
name
format|https://docs.microsoft.com/en-us/windows/desktop/ad/name-formats-for-unique-spns#replicable-services].
Daryn's patch is not entirely accurate, but can work in most happy path.
was (Author: eyang):
[~ibuenros] {quote}Is it the case that adding more components to the principal
will prevent host specific principals to verify matching host?{quote}
Yes, this is the behavior of my patches and conforming to RFC1510 NT-SRV-XHST
pattern. Where Daryn's patch will exact hostname from component 2, if the
principal has more components, this allows the principal
<user>/<role1>/<role2>@<realm> to act as service principal.
> Kerberos name implementation in Hadoop does not accept principals with more
> than two components
> -----------------------------------------------------------------------------------------------
>
> Key: HADOOP-16214
> URL: https://issues.apache.org/jira/browse/HADOOP-16214
> Project: Hadoop Common
> Issue Type: Bug
> Components: auth
> Reporter: Issac Buenrostro
> Priority: Major
> Attachments: Add-service-freeipa.png, HADOOP-16214.001.patch,
> HADOOP-16214.002.patch, HADOOP-16214.003.patch, HADOOP-16214.004.patch,
> HADOOP-16214.005.patch, HADOOP-16214.006.patch, HADOOP-16214.007.patch,
> HADOOP-16214.008.patch, HADOOP-16214.009.patch, HADOOP-16214.010.patch,
> HADOOP-16214.011.patch
>
>
> org.apache.hadoop.security.authentication.util.KerberosName is in charge of
> converting a Kerberos principal to a user name in Hadoop for all of the
> services requiring authentication.
> Although the Kerberos spec
> ([https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html])
> allows for an arbitrary number of components in the principal, the Hadoop
> implementation will throw a "Malformed Kerberos name:" error if the principal
> has more than two components (because the regex can only read serviceName and
> hostName).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
