[
https://issues.apache.org/jira/browse/ZOOKEEPER-2405?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15287629#comment-15287629
]
Patrick Hunt commented on ZOOKEEPER-2405:
-----------------------------------------
I tested it out and the results look good:
{noformat}
2016-05-17 21:32:51,707 [myid:] - DEBUG [Thread-4:Login@339] - Client principal
is zookeeper/kerberos.example....@example.com.
2016-05-17 21:32:51,707 [myid:] - DEBUG [Thread-4:Login@340] - Server principal
is krbtgt/example....@example.com.
{noformat}
However I'd recommend that you delineate the principal value. e.g. wrap it in
double quotes so it's easier to identify exactly what is the principal. In the
log output above the trailing "." is not really part of the value.
> getTGT() in Login.java mishandles confidential information
> ----------------------------------------------------------
>
> Key: ZOOKEEPER-2405
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2405
> Project: ZooKeeper
> Issue Type: Bug
> Components: kerberos, security, server
> Affects Versions: 3.4.8, 3.5.1, 3.6.0
> Reporter: Patrick Hunt
> Assignee: Michael Han
> Priority: Blocker
> Fix For: 3.4.9, 3.5.2, 3.6.0
>
> Attachments: ZOOKEEPER-2405.patch, ZOOKEEPER-2405.patch,
> ZOOKEEPER-2405.patch
>
>
> We're logging the kerberos ticket when in debug mode, probably not the best
> idea. This was identified as a "critical" issue by Fortify.
> {noformat}
> for(KerberosTicket ticket: tickets) {
> KerberosPrincipal server = ticket.getServer();
> if (server.getName().equals("krbtgt/" + server.getRealm() + "@" +
> server.getRealm())) {
> LOG.debug("Found tgt " + ticket + ".");
> return ticket;
> }
> }
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
