[
https://issues.apache.org/jira/browse/STORM-427?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rick Kellogg updated STORM-427:
-------------------------------
Component/s: storm-hbase
> (Security) AutoTGT with HBase can expose JVM kerberos issue
> -----------------------------------------------------------
>
> Key: STORM-427
> URL: https://issues.apache.org/jira/browse/STORM-427
> Project: Apache Storm
> Issue Type: Bug
> Components: storm-hbase
> Affects Versions: 0.10.0
> Reporter: Robert Joseph Evans
> Assignee: Robert Joseph Evans
> Priority: Blocker
> Labels: security
> Fix For: 0.10.0
>
>
> The oracle JVM with in all versions I have looked at has a bug where it is
> possible for the JVM to use a service ticket instead of a TGT when requesting
> a service ticket from the KDC.
> The way the JVM code works right now is that when it looks for the TGT to use
> to connect to the KDC it will iterate over the all of the KerberosTickets in
> the private credentials, but it will pull out and use the first ticket that
> is for the current client. The private credentials set is actually backed by
> a linked list, so the order they are scanned is insertion order. Because a
> TGT is going to be inserted before any service tickets in the common case all
> is fine, the issue only shows up when we insert in a new TGT after other
> still valid service tickets.
> This also only shows up when you are talking to more then one service, like
> we do with hbase. If it were talking to just one service then the java code
> would reuse the valid service ticket instead of trying to get a new service
> ticket. I'll put up a pull request shortly.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
