[jira] [Commented] (STORM-427) (Security) AutoTGT with HBase can expose JVM kerberos issue

Tue, 29 Jul 2014 14:50:28 -0700 

    [ 
https://issues.apache.org/jira/browse/STORM-427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14078443#comment-14078443
 ] 

ASF GitHub Bot commented on STORM-427:
--------------------------------------

GitHub user revans2 opened a pull request:

    https://github.com/apache/incubator-storm/pull/210

    STORM-427: AutoTGT and HBase can expose JVM kerberos bug.

    

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/revans2/incubator-storm STORM-427

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/incubator-storm/pull/210.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #210
    
----
commit ee5bb1792afc28155bd8cdf87e97ebf719c031d1
Author: Robert (Bobby) Evans <[email protected]>
Date:   2014-07-29T21:47:19Z

    STORM-427: AutoTGT and HBase can expose JVM kerberos bug.

----


> (Security) AutoTGT with HBase can expose JVM kerberos issue
> -----------------------------------------------------------
>
>                 Key: STORM-427
>                 URL: https://issues.apache.org/jira/browse/STORM-427
>             Project: Apache Storm (Incubating)
>          Issue Type: Bug
>    Affects Versions: feature-security
>            Reporter: Robert Joseph Evans
>            Assignee: Robert Joseph Evans
>              Labels: security
>
> The oracle JVM with in all versions I have looked at has a bug where it is 
> possible for the JVM to use a service ticket instead of a TGT when requesting 
>  a service ticket from the KDC.
> The way the JVM code works right now is that when it looks for the TGT to use 
> to connect to the KDC it will iterate over the all of the KerberosTickets in 
> the private credentials, but it will pull out and use the first ticket that 
> is for the current client.  The private credentials set is actually backed by 
> a linked list, so the order they are scanned is insertion order.  Because a 
> TGT is going to be inserted before any service tickets in the common case all 
> is fine, the issue only shows up when we insert in a new TGT after other 
> still valid service tickets.
> This also only shows up when you are talking to more then one service, like 
> we do with hbase.  If it were talking to just one service then the java code 
> would reuse the valid service ticket instead of trying to get a new service 
> ticket.  I'll put up a pull request shortly.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to