[
https://issues.apache.org/jira/browse/HADOOP-10183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13860871#comment-13860871
]
Mubashir Kazia commented on HADOOP-10183:
-----------------------------------------
I do not know if the replay attack scenario would still result in this case or
not. There is a subtle difference in the AD configuration because each node
will have a separate SPN even though they use the same principal underneath.
The clients are going to request service tickets using SPN. It is common in AD
environment to have SPNs for multiple servers of the same service to a single
principal or have multiple SPNs for different services to a single machine
principal. I don't know what limit would trigger a replay attack defense if
any.
Regarding your question of whether this can be supported without any code
change, it may cause some other issues in Sasl code as the current Sasl
configuration is dependent on hostname from the configured SPN. So even if I
configure all the SPNs on the same principal in the keytab that is in SPN
format, the clients will not be requesting with distinct SPNs but the same SPN
that is in the keytab file and that may very well trigger a replay attack
defense.
> Allow use of UPN style principals in keytab files
> -------------------------------------------------
>
> Key: HADOOP-10183
> URL: https://issues.apache.org/jira/browse/HADOOP-10183
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 2.2.0
> Reporter: Mubashir Kazia
> Assignee: Mubashir Kazia
> Attachments: AppConnection.java, HADOOP-10183.patch,
> HADOOP-10183.patch.1, Jaas.java, SaslTestClient.java, SaslTestServer.java,
> hdfs.keytab, jaas-krb5.conf, krb5.conf
>
>
> Hadoop currently only allows SPN style (E.g. hdfs/node.fqdn@REALM) principals
> in keytab files in a cluster configured with Kerberos security. This cause
> the burden of creating multiple principals and keytabs for each node of the
> cluster. Active Directory allows the use of single principal across multiple
> hosts if the SPNs for different hosts have been setup correctly on the
> principal. With this scheme we have the server side using keytab file with
> UPN style (E.g. hdfs@REALM) principal for a given service for all the nodes
> of the cluster. The client side will request service tickets with SPN and
> it's own TGT and Active Directory will grant service tickets with the correct
> secret.
> This will simplify the use of principals and keytab files for Active
> Directory users with one principal for each service across all the nodes of
> the cluster.
> I have a patch to allow the use of UPN style principals in Hadoop. The patch
> will not affect the use of SPN style principals. I couldn't figure out a way
> to write test cases against MiniKDC so I have included the Oracle/Sun sample
> Sasl server and client code along with the configuration I used to confirm
> this scheme works.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
