[
https://issues.apache.org/jira/browse/HADOOP-8043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13205872#comment-13205872
]
Alejandro Abdelnur commented on HADOOP-8043:
--------------------------------------------
Chatting with Eric Sammer about he raised a very good point from a security
standpoint, you don't want to load from a keytab a principal name resolved with
a parameter sent by a client.
And, because of how HTTP SPNEGO works (ie in curl), if you use an alias
hostname in the URL, and the server was initialized with a principal with
another hostname, then the Negotiate header sent by the client will contain as
the expected server principal name 'HTTP/<HOSTNAME_IN_URL>@<REALM>'.
> KerberosAuthenticationFilter and friends have some problems
> -----------------------------------------------------------
>
> Key: HADOOP-8043
> URL: https://issues.apache.org/jira/browse/HADOOP-8043
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 1.0.0
> Reporter: Allen Wittenauer
> Priority: Critical
> Attachments: HADOOP-8043-branch-1.0.txt
>
>
> KerberosAuthenticationFilter and friends have three killer usability issues
> and bugs:
> 1. Documentation is misleading/wrong.
> 2. Shared secret stored in a world readable file.
> 3. Lacks support for _HOST macro
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
