[
https://issues.apache.org/jira/browse/STORM-427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14111189#comment-14111189
]
ASF GitHub Bot commented on STORM-427:
--------------------------------------
Github user ptgoetz commented on the pull request:
https://github.com/apache/incubator-storm/pull/210#issuecomment-53476671
+1
> (Security) AutoTGT with HBase can expose JVM kerberos issue
> -----------------------------------------------------------
>
> Key: STORM-427
> URL: https://issues.apache.org/jira/browse/STORM-427
> Project: Apache Storm (Incubating)
> Issue Type: Bug
> Affects Versions: feature-security
> Reporter: Robert Joseph Evans
> Assignee: Robert Joseph Evans
> Priority: Blocker
> Labels: security
>
> The oracle JVM with in all versions I have looked at has a bug where it is
> possible for the JVM to use a service ticket instead of a TGT when requesting
> a service ticket from the KDC.
> The way the JVM code works right now is that when it looks for the TGT to use
> to connect to the KDC it will iterate over the all of the KerberosTickets in
> the private credentials, but it will pull out and use the first ticket that
> is for the current client. The private credentials set is actually backed by
> a linked list, so the order they are scanned is insertion order. Because a
> TGT is going to be inserted before any service tickets in the common case all
> is fine, the issue only shows up when we insert in a new TGT after other
> still valid service tickets.
> This also only shows up when you are talking to more then one service, like
> we do with hbase. If it were talking to just one service then the java code
> would reuse the valid service ticket instead of trying to get a new service
> ticket. I'll put up a pull request shortly.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
