[
https://issues.apache.org/jira/browse/HADOOP-8518?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13399306#comment-13399306
]
Daryn Sharp commented on HADOOP-8518:
-------------------------------------
Thanks for enlightening me Alejandro. I did not realize SPNEGO is creating a
service ticket. Based on a quick read, it seems that CNAMES and proxies are
often problematic and usually require an explicit config. Using config options
would seem to be problematic/expensive to maintain in multi-grid environments.
Would perhaps a cleaner way be for the server to send a http response header
containing it's canonical hostname? If that header is present, the SPNEGO
client will use it to construct the server principal?
> SPNEGO client side should use KerberosName rules
> ------------------------------------------------
>
> Key: HADOOP-8518
> URL: https://issues.apache.org/jira/browse/HADOOP-8518
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 1.0.3, 2.0.0-alpha
> Reporter: Alejandro Abdelnur
> Assignee: Alejandro Abdelnur
> Fix For: 1.1.0, 2.0.1-alpha
>
>
> currently KerberosName is used only on the server side to resolve the client
> name, we should use it on the client side as well to resolve the server name
> before getting the kerberos ticket.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
