[
https://issues.apache.org/jira/browse/HADOOP-8043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13205130#comment-13205130
]
Allen Wittenauer commented on HADOOP-8043:
------------------------------------------
This patch basically pulls the hostname from the incoming request itself since
the only specific information the filter really has is what is stored in the
servlet request. It does a forward followed by a reverse to make sure that we
get the real, actual DNS FQDN of whatever service is coming in. We pass this
information to the security code which does the macro substitution using the
information we've gleaned. At this point, we know what the principal we need to
init should be.
In the case of services with vips, they only ever bind to one hostname. So the
race and different request problem shouldn't be a concern. In the case of
services without vips that do actually have multiple IPs, those hosts, to be
properly configured in DNS, should reverse resolve to a common name.
> KerberosAuthenticationFilter and friends have some problems
> -----------------------------------------------------------
>
> Key: HADOOP-8043
> URL: https://issues.apache.org/jira/browse/HADOOP-8043
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 1.0.0
> Reporter: Allen Wittenauer
> Priority: Critical
> Attachments: HADOOP-8043-branch-1.0.txt
>
>
> KerberosAuthenticationFilter and friends have three killer usability issues
> and bugs:
> 1. Documentation is misleading/wrong.
> 2. Shared secret stored in a world readable file.
> 3. Lacks support for _HOST macro
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
