[
https://issues.apache.org/jira/browse/HADOOP-15440?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17065117#comment-17065117
]
Eric Yang commented on HADOOP-15440:
------------------------------------
[~hexiaoqiao] {quote}it could be checked in the following statement for this
case IIUC.{quote}
In the patch, it has this regex pattern:
{code}String[] components = principalConfig.split("[/@]");{code}
This allows test/_HOST/test to work as service principal, which is not allowed
by [RFC4120|https://www.ietf.org/rfc/rfc4120.txt] description. Java JDK code
will accept [principal name without
realm|https://github.com/frohoff/jdk8u-jdk/blob/master/src/share/classes/javax/security/auth/kerberos/KerberosPrincipal.java#L119],
and add default realm, if realm information is missing. This allows the
validation to pass through for test/_HOST/test principal as service principal,
which does not restrictedly follow KRB_NT_SRV_XHST specification. This
principal is a valid Kerberos principal, but it is not a valid service
principal.
Is this reasoning more clear?
{quote}It is true that using `hadoop.security.dns.interface` is more accurate.
Actually this logic is implement completely in `SecurityUtil` but when I want
to import `hadoop-common` to sub-module `hadoop-auth` it throws cyclic
reference exception. So my question is if we need add same logic at sub-module
`hadoop-auth` or some other solutions? Sorry I am not very familiar with this
module. Thanks again.{quote}
I'd encounter similar inconvenience with Hadoop project structure that prevent
code sharing between Hadoop-common and Hadoop-auth. There might need
duplication of the involved code pieces in hadoop-auth module to prevent
security bugs. It is unfortunate that the code used to live in the same hadoop
common code base in Hadoop 0.20.x code base, then maven project restructuring
screw things up. We live with debris of over refactored projects. I think it
will be ok to bring some logic from hadoop-common to hadoop-auth for this
issue. Hadoop-common + hadoop-auth module merge should be treated as separate
issue.
> Support kerberos principal name pattern for KerberosAuthenticationHandler
> -------------------------------------------------------------------------
>
> Key: HADOOP-15440
> URL: https://issues.apache.org/jira/browse/HADOOP-15440
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Xiaoqiao He
> Assignee: Xiaoqiao He
> Priority: Major
> Attachments: HADOOP-15440-trunk.001.patch, HADOOP-15440.002.patch
>
>
> When setup HttpFS server or KMS server in security mode, we have to config
> kerberos principal for these service, it doesn't support to convert Kerberos
> principal name pattern to valid Kerberos principal names whereas
> NameNode/DataNode and many other service can do that, so it makes confused
> for users. so I propose to replace hostname pattern with hostname, which
> should be fully-qualified domain name.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
