[
https://issues.apache.org/jira/browse/HADOOP-9868?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13738362#comment-13738362
]
Alejandro Abdelnur commented on HADOOP-9868:
--------------------------------------------
[~daryn], I'm a bit puzzled by this HADOOP-9789. While I understand the
reasoning for it, doesn't that weaken security? An impersonator can publish an
alternate principal for which it has a keytab for.
> Server must not advertise kerberos realm
> ----------------------------------------
>
> Key: HADOOP-9868
> URL: https://issues.apache.org/jira/browse/HADOOP-9868
> Project: Hadoop Common
> Issue Type: Bug
> Components: ipc
> Affects Versions: 3.0.0, 2.1.1-beta
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Attachments: HADOOP-9868.patch
>
>
> HADOOP-9789 broke kerberos authentication by making the RPC server advertise
> the kerberos service principal realm. SASL clients and servers do not
> support specifying a realm, so it must be removed from the advertisement.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
