[jira] [Commented] (HADOOP-8043) KerberosAuthenticationFilter and friends have some problems

Fri, 10 Feb 2012 19:28:07 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-8043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13206001#comment-13206001
 ] 

Allen Wittenauer commented on HADOOP-8043:
------------------------------------------

I think there is some confusion: I don't intend to create a patch to be 
committed.  I'm only filing jiras with patches so that other people don't have 
to deal with the issues around getting 1.0 up and running.  Given how much 
various other companies are proud to tout their patch counts, these should be 
some easy points.

BTW, I also think there is some confusion around how the patch gets the name. 
See, whatever the user used for incoming that gets converted to an IP address.  
Given that we can specifically bind the NN and JT to specific address:port 
combos, the admin has control over what is actually valid.   So the name that 
is going to get used is the reverse lookup of the incoming IP of the address we 
bound to.  So there is zero concern here about getting the wrong principal on 
those hosts if we assume that DNS is configured correctly.  If DNS isn't 
configured correctly, well... they have bigger issues to deal with.



                
> KerberosAuthenticationFilter and friends have some problems
> -----------------------------------------------------------
>
>                 Key: HADOOP-8043
>                 URL: https://issues.apache.org/jira/browse/HADOOP-8043
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 1.0.0
>            Reporter: Allen Wittenauer
>            Priority: Critical
>         Attachments: HADOOP-8043-branch-1.0.txt
>
>
> KerberosAuthenticationFilter and friends have three killer usability issues 
> and bugs:
> 1. Documentation is misleading/wrong.
> 2. Shared secret stored in a world readable file.
> 3. Lacks support for _HOST macro

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to