[
https://issues.apache.org/jira/browse/HADOOP-9019?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13494690#comment-13494690
]
Allen Wittenauer commented on HADOOP-9019:
------------------------------------------
I seem to recall that using IP addresses in principals was a big no-no since
many clients will do a reverse lookup as part of the validation sequence.
(This is why one of the most effective ways to break Kerberos is via DNS MITM
attacks.) In other words, using FQDN here is more of a Kerberos thing than a
Hadoop thing.
> KerberosAuthenticator.doSpnegoSequence(..) should create a HTTP principal
> with hostname everytime
> --------------------------------------------------------------------------------------------------
>
> Key: HADOOP-9019
> URL: https://issues.apache.org/jira/browse/HADOOP-9019
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: Vinay
>
> in KerberosAuthenticator.doSpnegoSequence(..) following line of code will
> just create a principal of the form "HTTP/<host>",
> {code} String servicePrincipal =
> KerberosUtil.getServicePrincipal("HTTP",
> KerberosAuthenticator.this.url.getHost());{code}
> but uri.getHost() is not sure of always getting hostname. If uri contains
> IP, then it just returns IP.
> For SPNEGO authentication principal should always be created with <hostname>.
> This code should be something like this, which will look /etc/hosts to get
> hostname
> {code} String hostname = InetAddress.getByName(
> KerberosAuthenticator.this.url.getHost()).getHostName();
> String servicePrincipal = KerberosUtil.getServicePrincipal("HTTP",
> hostname);{code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
